Solved: Dashboard base search with extra search values

hvdtol · ‎05-28-2021

Hello,

I have a dashboard with 3 panels that load at the same time.
Almost 3 identical searches. The difference is i add extra search criteria to the 2nd and 3th search.

I would to refer in the 2nd and 3th panel to my base search, and add a token with the extra search criteria.
This way i reduce my code.

But i just cannot understand how to do this.

<row>
<panel>
<table>
<title>Title1</title>
<search id="mainsearch">
<query>index=my_index
..........
</query>
</table>
</panel>

<panel>
<table>
<title>Title2</title>
<search id="secondsearch">
<query>index=my_index AND "local"
..same statements...
</query>
</table>
</panel>

<panel>
<table>
<title>Title3</title>
<search id="thirdsearch">
<query>index=my_index AND (NOT "local")
..same statements...
</query>
</table>
</panel>
</row>

Any help is appreciated.

Regards,

Harry

gcusello · ‎05-28-2021

Hi @hvdtol,

I know that in best practces you have to put filters as left as possible, but this is the only way to use basesearches.

But, as @isoutamo said, the best solution is to have a transforming command in the base search, e.g. if you have in the secondary searches to filter for a field, you could insert a stats command BY that field in the base search, so you'll have a more performant search.

But if you cannot do this, using base searches anyway you limit the use of CPUs in your dashboard, but you have the limit of 500,000 results.

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/Savedsearches#Post-process_searches_2

Ciao.

Giuseppe

View solution in original post

hvdtol · ‎05-28-2021

Hi Giuseppe,

But i do wonder if this would be an efficient search.

panel-2 <search base="mainsearch">
<query>
| search "local"
.....
</query>

In the second search the filter on "local" will be at the end , and not at the index search time.
Or am i wrong?

Regards,

Harry

gcusello · ‎05-28-2021

Hi @hvdtol,

I know that in best practces you have to put filters as left as possible, but this is the only way to use basesearches.

But, as @isoutamo said, the best solution is to have a transforming command in the base search, e.g. if you have in the secondary searches to filter for a field, you could insert a stats command BY that field in the base search, so you'll have a more performant search.

But if you cannot do this, using base searches anyway you limit the use of CPUs in your dashboard, but you have the limit of 500,000 results.

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/Savedsearches#Post-process_searches_2

Ciao.

Giuseppe

hvdtol · ‎05-30-2021

Hi @gcusello gcusello and @isoutamo

I understood.
My final query ends with a chart statement.

I have been testing with some examples an managed to get the result i needed.

Thank you for your help

Regards,

Harry

gcusello · ‎05-30-2021

Hi @hvdtol,

good for you, see next time!
Ciao and happy splunking.

Giuseppe.

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo · ‎05-28-2021

That's right. The dashboard runs once the base search and then all those three search get it as an input and do what they needs. BUT using base search as non transforming search has some limitations. Usually base search should/must be a transforming search (eg. contains stats, chart, timechart). Without those it has limits (like @gcusello said, you must add fields + needed fields), and remember that it has limits how many rows it can deliver (like 50k or was it 500k?).

r. Ismo

hvdtol · ‎05-28-2021

Thank you Giuseppe,

I wll try this and look at the examples.

Regards,

Harry

gcusello · ‎05-28-2021

Hi @hvdtol,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎05-28-2021

Hi @hvdtol,

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/Savedsearches#Post-process_searches_2 and I hint to install the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) where you can find examples also about this.

Anyway you have to do something like this:

<search id="mainsearch">
          <query>
             index=my_index
             ..........
             | fields all the fields you use in panels
          </query>
</search>
<row>
  <panel>
    <table>
      <title>Title1</title>
        <search base="mainsearch">
          <query>
             ..........
          </query>
        </search>
    </table>
  </panel>
  <panel>
    <table>
      <title>Title2</title>
        <search base="mainsearch">
          <query>
            search "local"
            .....
          </query>
        </search>
    </table>
  </panel>
  <panel>
    <table>
    <title>Title3</title>
      <search base="mainsearch">
        <query>
           search (NOT "local")
           .....
        </query>
      </search>
    </table>
  </panel>
</row>

You have to put attention only to one thing: at the end of the basesearch put the "fields" command with all the fields that you have to use in all the panels referring to that basesearch.

Ciao.

Giuseppe

Dashboard base search with extra search values

other

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience