Splunk Search

I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

moesaidi
Path Finder

I have 6 panels on a dashboard, but only allow 3 concurrent searches for the user role.
Using Splunk Enterprise 6.2, is there any way we can load 3 panels at a time and only load the fourth when the first is complete, and so on?

So far, I've been able to overcome the limit by combining some panels together, and having a dropdown that you must select first before the search will run.

Ideally, I'd like to the panels to load one by one or in groups to avoid the "Concurrent limit reached" message that the users get.

Would be ideal if we could set a load delay on a panel, or a "load panel" button, etc..
I found the ability to hide a panel based on 'depends' but it still does the search in the background so it doesn't work as I'd need it to.

Any suggestions?

1 Solution

woodcock
Esteemed Legend

Yes, you can. Add this to the searches of your 3 "less-important" panels

| $NOOP_1$ | $NOOP_2$ | $NOOP_3$

Then you go to your first of the 3 "more-important" panels and make it look like this:

<panel>
  <title>Your First Panel</title>
  <chart>
    <search>
      <query>Your First Panel Search Here</query>
      <earliest>Your Earliest Here</earliest>
      <latest>Your Latest Here</latest>
      <progress>
         <unset token="NOOP_1"></unset>
      </progress>
      <finalized>
         <set token="NOOP_1">noop</set>
      </finalized>
    </search>
  </chart>
</panel>

Do your other 2 "more-important" panels similarly.

View solution in original post

saikiransplunk
New Member

i have created dashboard with 5 panels, all panels are loading at a time, but i want panel 1 should load and display after that the 2nd panel should load and display, after 2nd 3rd panel should load and display is it possible.
Could some one help me in this... im waiting for reply.

0 Karma

spammenot66
Contributor

I would recommend using tokens to display only three at a time and force your queries to run depending on the token value

0 Karma

woodcock
Esteemed Legend

Yes, you can. Add this to the searches of your 3 "less-important" panels

| $NOOP_1$ | $NOOP_2$ | $NOOP_3$

Then you go to your first of the 3 "more-important" panels and make it look like this:

<panel>
  <title>Your First Panel</title>
  <chart>
    <search>
      <query>Your First Panel Search Here</query>
      <earliest>Your Earliest Here</earliest>
      <latest>Your Latest Here</latest>
      <progress>
         <unset token="NOOP_1"></unset>
      </progress>
      <finalized>
         <set token="NOOP_1">noop</set>
      </finalized>
    </search>
  </chart>
</panel>

Do your other 2 "more-important" panels similarly.

rjthibod
Champion

Great idea @woodcock.

One quick note, wasn't finalized deprecated in 6.5 (https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#Search_event_handlers)?

If so, I think you need to replace finalized with done. That is supported in all of 6.3.x through 6.5.x.

0 Karma

rrovers
Communicator

Can you please give an example how to use $NOOP_1$ | $NOOP_2$ | $NOOP_3$ in the less important searches?

0 Karma

woodcock
Esteemed Legend

Hm. I just took Advanced Dashboarding & Visualizations a couple of months ago and On page 105 of the June 28th 2016 version of the class notes it says this:

Search Event       Description
<cancelled>        Execute actions when a search is cancelled.
<done>             Execute actions based on done search events.
<error>            Execute actions when there is an error in the search.
<fail>             Execute an action when a search fails while running.
<finalized>        Execute an action when a searchalizes and data is available
<progress>       * Execute an action on search progress events.
                 * Similar to the preview event handler.
                 * Access job properties and field results. The progress event has only job properties information available.
<preview>        * Execute an action when search preview data is available.
                 * Similar to the progress event handler.
                 * Access job properties and field results. The preview event has only preview information available.

@piebob; who needs to know about this?

0 Karma

rjthibod
Champion

Understood. I will try it out myself and report back.

0 Karma

rjthibod
Champion

OK, I would say you want to change it. finalized does not work as you would expect it to. It is not outright removed, but it does not function properly. The documentation on the website is a better guide. Your class notes are from before the release of 6.5.

My suggested version is below. Note, your unset is technically invalid because you are including a value. Splunk XML linter will flag that.

 <panel>
   <title>Your First Panel</title>
   <chart>
     <search>
       <query>Your First Panel Search Here</query>
       <earliest>Your Earliest Here</earliest>
       <latest>Your Latest Here</latest>
       <progress>
          <unset token="NOOP_1"/>
       </progress>
       <done>
          <set token="NOOP_1">noop</set>
       </done>
     </search>
   </chart>
 </panel>
0 Karma

woodcock
Esteemed Legend

Yes, my original answer fixed with the other valid syntax for unset.

0 Karma

gcusello
Legend

Hi moesaidi,
no, it isn't possible to load a panel after another one (or three) is completed, maybe it could be possible to insert a token in the searches of the second time panels.
Did you verified if you can group some of your searches in a post-process search? in this way your dashboard load is quicker.

Bye.
Giuseppe

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Do you have the same base search on some of the panels?

If so you can use post processing

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...