Re: How to move all of the different searches to a...

noammeir · ‎11-16-2022

hi

I am trying to get my dashboard better and move all of the different searches to a single/couple of base searches and then post processing.

did what I saw in the forum and the documentation, didnt give any results...

original code (which gives results):

<form>
<label>Emulation run analysis</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="steppingToken" searchWhenChanged="true">
<label>Stepping</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>stepping</fieldForLabel>
<fieldForValue>stepping</fieldForValue>
<search>
<query>index=validation_bigcore aa_data_source="core_emu_run_info" |stats count by stepping</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</input>

</fieldset>
</form>

code I am trying with base search:

<form>
<label>Emulation run analysis</label>
<search id="baseSearch">
<query>index=validation_bigcore aa_data_source="core_emu_run_info"</query>
<earliest>$TimeRangePkr.earliest$</earliest>
<latest>$TimeRangePkr.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="steppingToken" searchWhenChanged="true">
<label>Stepping</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>stepping</fieldForLabel>
<fieldForValue>stepping</fieldForValue>
<search base="baseSearch">
<query> |stats count by stepping</query>
</search>
</input>
</fieldset>
</form>

tried playing with the earliest/latest to be in base-search, in the post processing, in both, none gave results so probably not that

any ideas what am I doing wrong?

thanks,

Noam

richgalloway · ‎11-16-2022

Base searches must contain a transforming command. Try adding | fields * to the base search.

---
If this reply helps you, Karma would be appreciated.

noammeir · ‎11-17-2022

thanks for the answer!

I didnt manage to make it work with fields - if you have some working example it would be appreciated.

I did manage to make something simple work with stats, however I do need the data not in the stats way since I do wish to make some more manipulations and visualizations on different fields of it. is there a good way to transfer the entire event data from base to post process? I dont mind going through stats/other and reverse it if that is possible and saves the multiple searches that currently run there

bowesmana · ‎11-17-2022

It is a bad idea to try to improve a dashboard by just 'collecting all data' with no aggregations in a base search and then post processing.

Firstly there is an event limit unless you aggregate

Secondly, even though you want to handle different fields and do different types of calcs, you can always do things like

search...
| bin _time span=1d
| stats count sum(val) as val by _time a b c d

and then in post processing searches you can do

| stats sum(count) by a

OR

| stats max(val) by b d

and so on.

So, look at base searches and see what you can do to make use of a base search.

Grabbing data and then trying to use it in a shared way, will often make your dashboard worse if there is a large data set.

How to move all of the different searches to a single/couple of base searches and then post processing?

stats

subsearch

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?