Splunk Search

How to move all of the different searches to a single/couple of base searches and then post processing?

noammeir
Explorer

hi

I am trying to get my dashboard better and move all of the different searches to a single/couple of base searches and then post processing.

did what I saw in the forum and the documentation, didnt give any results...

original code (which gives results):

<form>
<label>Emulation run analysis</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="steppingToken" searchWhenChanged="true">
<label>Stepping</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>stepping</fieldForLabel>
<fieldForValue>stepping</fieldForValue>
<search>
<query>index=validation_bigcore aa_data_source="core_emu_run_info" |stats count by stepping</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</input>

</fieldset>
</form>

code I am trying with base search:

<form>
<label>Emulation run analysis</label>
<search id="baseSearch">
<query>index=validation_bigcore aa_data_source="core_emu_run_info"</query>
<earliest>$TimeRangePkr.earliest$</earliest>
<latest>$TimeRangePkr.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="TimeRangePkr" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="steppingToken" searchWhenChanged="true">
<label>Stepping</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>stepping</fieldForLabel>
<fieldForValue>stepping</fieldForValue>
<search base="baseSearch">
<query> |stats count by stepping</query>
</search>
</input>
</fieldset>
</form>

 

tried playing with the earliest/latest to be in base-search, in the post processing, in both, none gave results so probably not that

any ideas what am I doing wrong?

thanks,

Noam

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Base searches must contain a transforming command.  Try adding | fields * to the base search.

---
If this reply helps you, Karma would be appreciated.

noammeir
Explorer

thanks for the answer!

I didnt manage to make it work with fields - if you have some working example it would be appreciated.

 

I did manage to make something simple work with stats, however I do need the data not in the stats way since I do wish to make some more manipulations and visualizations on different fields of it. is there a good way to transfer the entire event data from base to post process? I dont mind going through stats/other and reverse it if that is possible and saves the multiple searches that currently run there

0 Karma

bowesmana
SplunkTrust
SplunkTrust

It is a bad idea to try to improve a dashboard by just 'collecting all data' with no aggregations in a base search and then post processing.

Firstly there is an event limit unless you aggregate

Secondly, even though you want to handle different fields and do different types of calcs, you can always do things like

search...
| bin _time span=1d
| stats count sum(val) as val by _time a b c d

and then in post processing searches you can do

| stats sum(count) by a

OR

| stats max(val) by b d

and so on.

So, look at base searches and see what you can do to make use of a base search. 

Grabbing data and then trying to use it in a shared way, will often make your dashboard worse if there is a large data set.

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...