Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

dashboards with similiar data, but different timeframes

a212830
Champion
‎05-16-2014 11:19 AM

Hi,

I have a customer who created a dashboard with 28 unique searches. (Using Splunk 6.1.1). It's some cool stuff, but, that's nuts. A lot of the searches are simply different timeframes - one day in one chart, and 1 month in the other. Any suggestions on how to prevent 28 unique searches?

0 Karma
Reply

somesoni2
Revered Legend
‎05-16-2014 11:38 AM

Easiest option would be to create a saved search for the each unique search. Then in dashboard call the saved search with different time range.
e.g. 

<dashboard>
  <label>Splunk Home</label>
  <description/>
  <row>
    <single>
      <title>Last 15 Minute</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-15m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
  <row>
    <single>
      <title>Last 30 Minutes</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-30m@m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
</dashboard>
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 07:03 PM

As an alternative or addition to post processing, you could accelerate, summarize, or schedule historic searches like the thirty day one because that's doing a lot of things over and over again without changes to the data.

Take schedule as an example, you could have the search run over -30d@d to @d every night at 1 AM and everyone loading the dashboard that day gets the canned results from 1 AM.

0 Karma
Reply

somesoni2
Revered Legend
‎05-16-2014 01:53 PM

That would be the best solution for these kind of situations. It may require search/postprocess search formation based on the requirements. Some reading can be done from here.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML

0 Karma
Reply

a212830
Champion
‎05-16-2014 12:11 PM

Thanks. That still seems like a lot of unnecessary over-lap. I recall the term "post-processor" for dashboards. Would that be appropriate? If so, can someone point me to links on how to do it?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...