- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a dashboard : timechart with base search and events limit?
asafd
Explorer
09-27-2022
12:24 AM
Hi,
I have multiple panels that need to run timecharts like these:
- something | table _time,A,B</query> | search A="1"| timechart B
- something | table _time,A,B</query> | search A="2"| timechart B
- something | table _time,A,B</query> | search A="3"| timechart B
I want to optimize my dashboard for performance by using a base search, so I tried this:
<search id="base>
<query> something | table _time,A,B</query>
</search>
....
<panel>
<chart>
<search base="base">
<query>search A="1"|timechart count by B</query>
</search>
</chart>
</panel>
...
<panel>
<chart>
<search base="base">
<query>search A="2"|timechart count by B</query>
</search>
</chart>
</panel>
...
<panel>
<chart>
<search base="base">
<query>search A="3"|timechart count by B</query>
</search>
</chart>
</panel>
It works great on short times (24h) but with wider ranges (30 days) I lose events because of the base search limit (probably the default, 500,000).
Is there a way I can use base search for this?
I'm using Splunk Enterprise version 8.1.3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asafd
Explorer
09-27-2022
02:08 AM
I tried to create a saved search (time range: -1y - now) and use it like this:
<search id="base ref="saved_search">
<earliest>$sinceTime.earliest$</earliest>
<latest>$sinceTime.latest$</latest>
</search>
but it doesn't seem to solve the events limit issue when i use past 30 days.
Also I would expect the chart to load immediately (since the base search is already saved), but it takes time to load.
