Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: SearchTemplate + RealTime search to SearchPos...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
We are trying to create a dashboard in which all the panels use the same information about the current (real time) events being logged in a file for the last 30 minutes.
I want to use a element as I understand real time searches are CPU-expensive, so the main idea would be to get the data once in a real time search and keep passing the data to the elements to filter and reorganize different views of the same flow of events.
However, I don't know how to make it work. I've created the search template with the search clause, added the and elements but the panels with searchPostProcess elements either didn't receive data or keep waiting for data. I tried to set the search template withpur any time restriction but the search goes for all the events since the very beginning in the index, clearly that's not what we want as is more expensive and at the end such amount of information is not useful for what we want.
Is there a way to optimize the dashboard in this way, real-time searching only one time and passing the events to search postprocesses? Or the only option is to declare the whole real-time statement in every single panel. I think the second would be more demanding for the server as it would start several real-time searches over the same index at once.
Thanks for any help
Arturo.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just had a similar issue and thought it was a realtime issue but it wasnt.
The trick with SearchTemplates is you need to specify the fields you want to pass down to use in your SearchPostProcess searches.
<dashboard>
<label>Search Templates</label>
<description>An example of search templates</description>
<searchTemplate>sourcetype="mysourcetype" station="thisone" | fields _time, sectionCode, other, interesting, fields, station</searchTemplate>
<earliestTime>rt-80m</earliestTime>
<latestTime>rtnow</latestTime>
<row>
<table>
<searchPostProcess>search sectionCode=this | eval ontime=strftime(_time, "%H:%M:%S") | table *</searchPostProcess>
</table>
<table>
<searchPostProcess>search sectionCode=that | eval ontime=strftime(_time, "%H:%M:%S") | table *</searchPostProcess>
</table>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just had a similar issue and thought it was a realtime issue but it wasnt.
The trick with SearchTemplates is you need to specify the fields you want to pass down to use in your SearchPostProcess searches.
<dashboard>
<label>Search Templates</label>
<description>An example of search templates</description>
<searchTemplate>sourcetype="mysourcetype" station="thisone" | fields _time, sectionCode, other, interesting, fields, station</searchTemplate>
<earliestTime>rt-80m</earliestTime>
<latestTime>rtnow</latestTime>
<row>
<table>
<searchPostProcess>search sectionCode=this | eval ontime=strftime(_time, "%H:%M:%S") | table *</searchPostProcess>
</table>
<table>
<searchPostProcess>search sectionCode=that | eval ontime=strftime(_time, "%H:%M:%S") | table *</searchPostProcess>
</table>
</row>
</dashboard>
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
