Splunk Search
Highlighted

I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Path Finder

I have 6 panels on a dashboard, but only allow 3 concurrent searches for the user role.
Using Splunk Enterprise 6.2, is there any way we can load 3 panels at a time and only load the fourth when the first is complete, and so on?

So far, I've been able to overcome the limit by combining some panels together, and having a dropdown that you must select first before the search will run.

Ideally, I'd like to the panels to load one by one or in groups to avoid the "Concurrent limit reached" message that the users get.

Would be ideal if we could set a load delay on a panel, or a "load panel" button, etc..
I found the ability to hide a panel based on 'depends' but it still does the search in the background so it doesn't work as I'd need it to.

Any suggestions?

Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

SplunkTrust
SplunkTrust

Do you have the same base search on some of the panels?

If so you can use post processing

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Legend

Hi moesaidi,
no, it isn't possible to load a panel after another one (or three) is completed, maybe it could be possible to insert a token in the searches of the second time panels.
Did you verified if you can group some of your searches in a post-process search? in this way your dashboard load is quicker.

Bye.
Giuseppe

0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Esteemed Legend

Yes, you can. Add this to the searches of your 3 "less-important" panels

| $NOOP_1$ | $NOOP_2$ | $NOOP_3$

Then you go to your first of the 3 "more-important" panels and make it look like this:

<panel>
  <title>Your First Panel</title>
  <chart>
    <search>
      <query>Your First Panel Search Here</query>
      <earliest>Your Earliest Here</earliest>
      <latest>Your Latest Here</latest>
      <progress>
         <unset token="NOOP_1"></unset>
      </progress>
      <finalized>
         <set token="NOOP_1">noop</set>
      </finalized>
    </search>
  </chart>
</panel>

Do your other 2 "more-important" panels similarly.

View solution in original post

Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Champion

Great idea @woodcock.

One quick note, wasn't finalized deprecated in 6.5 (https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#Search_event_handlers)?

If so, I think you need to replace finalized with done. That is supported in all of 6.3.x through 6.5.x.

0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Esteemed Legend

Hm. I just took Advanced Dashboarding & Visualizations a couple of months ago and On page 105 of the June 28th 2016 version of the class notes it says this:

Search Event       Description
<cancelled>        Execute actions when a search is cancelled.
<done>             Execute actions based on done search events.
<error>            Execute actions when there is an error in the search.
<fail>             Execute an action when a search fails while running.
<finalized>        Execute an action when a searchalizes and data is available
<progress>       * Execute an action on search progress events.
                 * Similar to the preview event handler.
                 * Access job properties and field results. The progress event has only job properties information available.
<preview>        * Execute an action when search preview data is available.
                 * Similar to the progress event handler.
                 * Access job properties and field results. The preview event has only preview information available.

@piebob; who needs to know about this?

0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Champion

Understood. I will try it out myself and report back.

0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Champion

OK, I would say you want to change it. finalized does not work as you would expect it to. It is not outright removed, but it does not function properly. The documentation on the website is a better guide. Your class notes are from before the release of 6.5.

My suggested version is below. Note, your unset is technically invalid because you are including a value. Splunk XML linter will flag that.

 <panel>
   <title>Your First Panel</title>
   <chart>
     <search>
       <query>Your First Panel Search Here</query>
       <earliest>Your Earliest Here</earliest>
       <latest>Your Latest Here</latest>
       <progress>
          <unset token="NOOP_1"/>
       </progress>
       <done>
          <set token="NOOP_1">noop</set>
       </done>
     </search>
   </chart>
 </panel>
0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Esteemed Legend

Yes, my original answer fixed with the other valid syntax for unset.

0 Karma
Highlighted

Re: I have 6 panels on a dashboard, but can only run 3 concurrent searches. How can I overcome this limit?

Explorer

Can you please give an example how to use $NOOP1$ | $NOOP2$ | $NOOP_3$ in the less important searches?

0 Karma