Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

simplifying a (field extraction error) dashboard?

mitag
Contributor
‎04-24-2020 12:45 PM

Possible to use the results of the same search in multiple panels on the same dashboard, and with different visualizations for them? (By the "same search" I mean: run it once, present results in several places via different means.)

Reason: make it faster, use less resources.

Example:

data quality dashboard

All four panels of the above dashboard use basically the same search that checks if a field message was extracted, and reports the stats highlighting the number of events where that field is not present.

Notes:
- Field message should be present in all events; if it's not - it's a field extraction error.
- The error is not necessarily the result of a bad field extraction regex - it could also be the result of a malformed event, event breaking too soon, etc.
- The top right panel is all that is needed - yet the other panels do help - I'd like to keep them there - although not at the expense of running multiple redundant searches.

The search:

sourcetype="some_sourcetype" 
| eval "Field Extraction Error(s)" = if(isnull(message),"present","not present")
| stats sparkline count by "Field Extraction Error(s)"

Possible?

Thanks!

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2020 12:55 PM

Yes, it's possible. It's also common and recommended. Splunk calls it "post-processing" and you can read about it at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2020 12:55 PM

Yes, it's possible. It's also common and recommended. Splunk calls it "post-processing" and you can read about it at https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/Savedsearches#Post-process_searches_2

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...