Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dashboards with similiar data, but different timeframes

a212830
Champion
‎05-16-2014 11:19 AM

Hi,

I have a customer who created a dashboard with 28 unique searches. (Using Splunk 6.1.1). It's some cool stuff, but, that's nuts. A lot of the searches are simply different timeframes - one day in one chart, and 1 month in the other. Any suggestions on how to prevent 28 unique searches?

0 Karma
Reply

somesoni2
Revered Legend
‎05-16-2014 11:38 AM

Easiest option would be to create a saved search for the each unique search. Then in dashboard call the saved search with different time range.
e.g. 

<dashboard>
  <label>Splunk Home</label>
  <description/>
  <row>
    <single>
      <title>Last 15 Minute</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-15m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
  <row>
    <single>
      <title>Last 30 Minutes</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-30m@m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
</dashboard>
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-16-2014 07:03 PM

As an alternative or addition to post processing, you could accelerate, summarize, or schedule historic searches like the thirty day one because that's doing a lot of things over and over again without changes to the data.

Take schedule as an example, you could have the search run over -30d@d to @d every night at 1 AM and everyone loading the dashboard that day gets the canned results from 1 AM.

0 Karma
Reply

somesoni2
Revered Legend
‎05-16-2014 01:53 PM

That would be the best solution for these kind of situations. It may require search/postprocess search formation based on the requirements. Some reading can be done from here.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML

0 Karma
Reply

a212830
Champion
‎05-16-2014 12:11 PM

Thanks. That still seems like a lot of unnecessary over-lap. I recall the term "post-processor" for dashboards. Would that be appropriate? If so, can someone point me to links on how to do it?

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...