Alternative to stats dc(*)

linu1988 · ‎09-11-2013

Hello,
I have a dashboard for windows event viewer. There are two pulldowns which populates the relevant fields. But to populate them the search query which i use takes a long time. Is there any other alternative to them quickly rather than using the below?

| stats dc(*) as * |transpose|  where column != "host" AND column != "Type" AND column != "source" AND column !="sourcetype" and column != "index"

sowings · ‎09-11-2013

Then go with johnuwz's answer below, using the scheduled "growing" lookup table. It's going to be loads faster than doing stats dc(*) every time.

linu1988 · ‎09-11-2013

According to the above search i have another search which will have |stats value(1st_pulldown_value).

That's the case on the dashboard, it's not worthless as all the possible selection should be available and easy to filter the options. The end user won't have Splunk knowledge to use the search view.

"trying to provide all the information" means it should be exactly like eventvwr. if i give a smaller time period in earliest i will miss some relevant info in the pulldown which i don't want to.

sowings · ‎09-11-2013

What does "trying to provide all the information" mean? You want a pulldown with every possible field so that a user would pick one, and then do what? I guess I don't understand the use case of such a pulldown.

Any attempt to iterate all of the fields available for all of the data sources available is necessarily going to be slow; you'd have to fetch every event, see what fields get extracted, and then add it to the list. That sounds like mega overkill. Why use a pulldown when the field picker of the search view shows you all of the fields?

linu1988 · ‎09-11-2013

I am trying to provide all the information. At the starting we have the index name and particular server index=xx host=xx. But It takes long. Even if i will filter out the things it will scan all the events for the stats command. I was looking for something like |metadata which will help in getting results faster. I have not tried but will a summary index work?

sowings · ‎09-11-2013

Is the "| stats dc(*) AS *" literally the first part of the search? You could inadvertently be searching over everything in all available indexes, and yes, that would take a long time.

What fields are you trying to provide to the pulldown?

gfuente · ‎09-11-2013

Hello,

You could schedule a search a write the output to a lookup table, and then populate the dropdown using the lookup.

Something like:

Scheduled Search:
...your search string | outputlookup lookup.csv

And then in the dropdown, something like:

  < input type="dropdown" token="token">
        < label>Label< /label>
        < default>all< /default>
        < choice value="*">all< /choice> 
        < populatingSearch fieldForValue="field" fieldForLabel="field">  | inputlookup lookup.csv | dedup field < /populatingSearch>
    < /input>

*** Remove the trailing blanks after < character ***

Regards

jonuwz · ‎09-11-2013

Then schedule the populating search every 30 mins, and in the dropdown search, do a search over the last hour, append the results from inputlookup, and dedup.

linu1988 · ‎09-11-2013

Thank you for your reply, but i would like to have a complete list with updated fields till the point when i search. I would give it a try with the summary index.

Alternative to stats dc(*)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life