Splunk Search

How to run a search only if the panel is visible

jjwallaby
Engager

The panel depends is been ignored and is still running the query which causes performance issues.
How can you only run a query if the panel is visible?

0 Karma

niketnilay
Legend

@arjunpkishore adding a search or where pipe for filtering results (whether it filters or not) implies it will be applied to all the events and return the same result as previous pipe. This means the dependency will impact query performance. Better approach is to use the comment macro with dummy dependency on the token used in depends or in the worst case use inexpensive commands like fields - with token for dummy dependency which does not perform any action when depenedent token is set.

@jjwallaby refer to one of my older answer for similar situation with example: https://answers.splunk.com/answers/683826/how-do-you-set-the-order-of-queries-to-be-run-in-a.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

arjunpkishore5
Motivator

The comment macro is new to me. Thanks for the tip. 🙂

jjwallaby
Engager

Thanks for answering.

Reasons you may have 10 panels
Each panel may have 5 or more queries charts..etc
So you want only
Run query if you actually on panel.

Otherwise performance is poor and wasting resources.

I thought splunk would have this feature.

Yes could convert and use js but that is last resort..as it is ugly and messy.

My question to you
If put the where condition at end of query..it still uses resources on backend.

Each query will take 1 process on backend..

Therefore if you have total 10 queries per panel is 100 queries forked off to backend.

0 Karma

arjunpkishore5
Motivator

If you have a variable in the search, then the search is not executed till the variable has value. I have replaced the where clause with the comment macro as suggested by @niketnilay

0 Karma

arjunpkishore5
Motivator

depends only affects the visibility of the panel. The query will run if it has everything it needs. To prevent this, you need to add the token to your search.

Here's one way to achieve this .Lets say your panel depends on the token $hidePanel$ you can make the search execution dependent on this token by adding |where $hidePanel$==$hidePanel$ to the end of the query. The where clause will just resolve to where True and won't filter your results

<panel depends="$hidePanel$">
      <title>Test</title>
      <table>
        <search>
          <query>|makeresults | where $hidePanel$==$hidePanel$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>

Based on your scenario, there are multiple ways to achieve this.

Hope this helps. Please Upvote and mark as answer if this is what you were looking for.

Cheers.

EDIT: Based on @niketnilay 's Tip, we can use the comment macro to eliminate the additional processing introduced by the where clause. Based on this, replacing the where clause with the comment macro

<panel depends="$hidePanel$">
      <title>Test</title>
      <table>
        <search>
          <query>|makeresults `comment("This search depends on $hidePanel$ for execution")`</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...