Reporting
Highlighted

dynamic multiple selection in saved search

Contributor

Hi,

I have a below code which runs very slow because it is hitting the voluminous index to get the data which takes the huge time to retrieve the data for the particular dashboard ( I am using inline searches ) , Please see the code below :





<!-- Enable the sideview utils -->

<module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
</module>


<module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>

</module>


Select Report Time Period

        <module name="Search" layoutPanel="panel_row1_col2" autoRun="True">
  <param name="search">index=os sourcetype=vmstat source=plex earliest=-5m@m latest=now | lookup serverlist host | table server | dedup server | sort str(server)</param>


<module name="Pulldown">
  <param name="name">HOST_NAME</param>
  <param name="label">Server List :</param>
  <param name="size">4</param>
  <param name="template">server="$value$"</param>
  <param name="separator">+OR+</param>
  <param name="outerTemplate">( $value$ )</param>
  <param name="staticFieldsToDisplay"></param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">server</param>
      <param name="value">server</param>
    </list>
  </param>


                  <module name="SubmitButton">
          <param name="label">Submit</param>   






  <module name="HiddenSearch" layoutPanel="panel_row2_col1" >
        <param name="search">index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0</param>
        <param name="groupLabel">Percent Load by Host</param>
        <module name="HiddenChartFormatter">
          <param name="charting.primaryAxisTitle.text">Time</param>
          <param name="charting.secondaryAxisTitle.text">% Total CPU</param>
          <param name="charting.chart.nullValueMode">connect</param>
          <param name="charting.chart">line</param>
          <module name="JSChart">
            <param name="width">100%</param>
            <module name="ConvertToDrilldownSearch">
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
         </module>
      </module>



      </module>   

      </module> 

  </module>  

I want to use "scheduled saved searches" instead of "inline" and server name should be picked dynamically as it was being picked before ( in the above code )

Please help !!

0 Karma
Highlighted

Re: dynamic multiple selection in saved search

Contributor

Can I please have some clue on the above problem ? Please I need a help on this !!

0 Karma
Highlighted

Re: dynamic multiple selection in saved search

SplunkTrust
SplunkTrust

You can try this (untested)

1) create a saved search (say ss_getAvgCPULoadByHost) with following search string

index=os | lookup serverlist host | search $HOST_NAME$ | avg(Percent_CPU_Load) by host_server useother=f limit=0

Have it scheduled as per your need.

2) updated the search parameter for "HiddenSearch" module here, to

| savedsearch ss_getAvgCPULoadByHost HOST_NAME="$HOST_NAME$"
0 Karma
Highlighted

Re: dynamic multiple selection in saved search

Contributor

When I execute it gives me the below error :

Error in 'savedsearch' command: Unable to find saved search named 'ss_getAvgCPULoadByHost''.

0 Karma
Highlighted

Re: dynamic multiple selection in saved search

Contributor

The above error has gone and now the below has come :

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'ssgetAvgCPULoadByHost': Error while replacing variable name='hostname'. Could not find variable in the argument map.

In my saved search , I have given the following query :
index=os sourcetype=cpu source=plex | lookup serverlist host | search server=$HOSTNAME$ | multikv fields pctIdle | eval PercentCPULoad = 100 - pctIdle | timechart avg(PercentCPULoad) by hostserver useother=f limit=0

0 Karma
Highlighted

Re: dynamic multiple selection in saved search

Contributor

I have removed "search $HOST_NAME$" from my saved search and it worked , but the graph is showing for all the listed items in the menu, Even If I select one or two items from the list, graph is appearing for all the itmes, I want to see the graph only for the selected items.

Please help !!

0 Karma
Highlighted

Re: dynamic multiple selection in saved search

Engager

Search should be saved as
savedsearchname
index=xyz KEY_1=123 KEY_2=456 HOST_NAME=$HOST_NAME$

When using in a dashboard it should be


<input type="text" token="HOST_NAME" searchWhenChanged="false">
<label>Host</label>
<default>*</default>
</input>

| savedsearch saved_search_name HOST_NAME =$HOST_NAME$

This works perfectly

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.