- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Post process search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Post process search
I have two searches
I have a dashboard with two panels.
1st panel has a query search1 join type=outer[search 2 ] to get a table of results
2nd panel has a query search2 join type=outer [search 1 ] to get a table of results
I did the above thing because they both give diff results and I need both of them.
is there any way to optimize my dashboard??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
To optimase your search you can use base search define here:
https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html
for example:
1. Define a base search:
<search id="base_search"> <query >search1 join type=outer[search 2 ] </query></search>
2. Use the base search like:
<search base="base_search"><query>\example\ | stats count .....</query></search>
<search base="base_search"><query>your_seconde_query</query></search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way we can help you is with more information. If you post the actual searches, then we can help you either optimize them or help you rethink it.
Your search can probably be refactored into something like this
(search 1) OR (search 2)
| fields whatever.fields.you.want.from.either.type
| eval rectype=if(test.that.this.is.a.search.one,"search 1","search 2")
| stats values(*) as * by whatever.your.key.match.fields.are
| table whatever.your.key.match.fields.are rectype whatever.fields.you.want.from.either.type
Field rectype will be a multivalue field. If both types of records were found, then mvcount(rectype) will be 2. If mvcount(rectype) is 1, then rectype will be either "search 1" or "search 2", indicating the type of record that was present, with the other type being absent.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search 1 is :
index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname
search 2 is......... It has already a join in it but I still take this is as one search :
index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval
By joining search 1 type=outer [search 2 ] gives me Extra reports which are present in search1 and not present in search2
By joining search 2 type=outer [search 1 ] gives me missing reports which are present in search2 and not present in search1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Full Searches:
first one;
index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id
| rename report_id as reportname
| join type=outer reportname
[ index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval ]
| table reportname,time_interval,ReportCreatedDate
| fillnull value="Extra_reports"
Second one:
index=offered_reports earliest=1522540800 sourcetype=splunkoffer Server_Name=denver
| table offer
| dedup offer
| eval offer=lower(offer)
| rename offer as Offer_Given
| join max=0 Offer_Given
[ search index=offered_reports earliest=1522540800 Master="master_splunk"
| eval Offer_Given=lower(Offer_Given) ]
| dedup reportname time_interval
| table reportname time_interval
| rename reportname as report_guid
| join type=outer report_guid[search index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver
| eval ReportCreatedDate=strftime(ReportCreatedDate, "%D %T")
| stats first(ReportCreatedDate) AS ReportCreatedDate by report_id ]
| table report_guid,time_interval,ReportCreatedDate
| fillnull value="Missing"
Splunk Classroom Chronicles: Training Tales and Testimonials
Access Tokens Page - New & Improved
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
