I have been working in Splunk building reports/dashboards for about a year. Six months ago, I was tasked with creating an app and integrating with our hosting platform to create reports about website activity. I've built all of the reports we want in the app and they work; however, some of the reports are retrieving half a million events or more, which results in really long wait times for the reports (some over 10-20 minutes).
A few of the reports I'm able to run on a schedule and then display the results of the scheduled search rather than running them real-time. But most of my dashboards include Sideview modules for text, drop-down, and multi-select inputs to manipulate the report, and displaying results of a scheduled search just won't work.
My goals are:
Rapidly display the initial load - I'd like for this initial load to be a scheduled search that displays a cached result set.
Improve the processing of searches that restrict the results.
Currently, if you try to restrict the results by clicking on something in the drop-down, it re-runs the entire search rather than processing the results based on the original data retrieved by the initial dashboard load.
I've tried to wrap my head around the examples in Sideview Utils and while what's explained makes sense, I'm struggling with actually implementing it in my own reports. I'm a learn-by-doing-with-copy/paste-and-tweak type of person and the examples don't seem to translate well to my dashboards.
Here's a generalized and slightly simplified version of one of my dashboards for use as an example. This one's extremely simple by comparison to most of the dashboards (this one has a time drop-down, two multi-selects, and a single chart, most of mine have 3-5 multi-selects and 4-6 charts which are all affected by changes to any one of the multi-selects).
<!-- Start Time Range Dropdown -->
<module name="URLLoader" layoutPanel="viewHeader" autoRun="True">
<module name="Pulldown" layoutPanel="panel_row1_col1" autoRun="True">
<param name="name">customRange</param>
<param name="label">Time Range: </param>
<param name="staticOptions">
<list>
<param name="label">Last 7 days</param>
<param name="selected">true</param>
<param name="value">-7d@d,@d,1d</param>
</list>
<list>
<param name="label">Last 30 days</param>
<param name="value">-30d@d,@d,1d</param>
</list>
</param>
<module name="ValueSetter">
<param name="name">multiValueTimeRange</param>
<param name="delim">,</param>
<param name="value">$customRange$</param>
<!-- End Time Range Dropdown -->
<!-- Start Web Site Dropdown -->
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search"><![CDATA[index="websites" | fields WebSiteKey Description | sort Description | `decode_entity("Description")` ]]>
</param>
<module name="Pulldown">
<param name="name">selectedWebsites</param>
<param name="label">Web site</param>
<param name="size">3</param>
<param name="template">WebSiteKey="$value$"</param>
<param name="separator">+OR+</param>
<param name="outerTemplate">( $value$ )</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">All Web Sites</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">Description</param>
<param name="value">WebSiteKey</param>
</list>
</param>
<!-- End Web Site Dropdown -->
<!-- Start Mailing List Dropdown-->
<module name="Search" autoRun="True">
<param name="search"><![CDATA[index="mailinglists" $selectedWebsites$ | fields List_name ListId | sort List_name ]]>
</param>
<module name="Pulldown">
<param name="name">selectedMailingLists</param>
<param name="label">Mailing List</param>
<param name="size">4</param>
<param name="template">ListId="$value$"</param>
<param name="separator">+OR+</param>
<param name="outerTemplate">( $value$ )</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">All Mailing Lists</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">List_name</param>
<param name="value">ListId</param>
</list>
</param>
<!-- End Mailing List Dropdown -->
<!-- Start Results Panel -->
<module name="Search">
<param name="search">
<![CDATA[index="usage" PageViewed="*?ET=*" $selectedWebsites$ |
fields PageViewed, ReaderUserKey, mlmid |
stats dc(ReaderUserKey) as "Clicks" by mlmid |
join mlmid [ search index="mailings" $selectedWebsites$ $selectedMailingLists$ |
fields _time, MailingID, OpenedCount, DeliveredCount, MailingSubject, ListId, BouncesCount |
eval mlmid=MailingID |
rename _time as eDate ] |
join type=outer ListId [ search index="mailinglists" earliest=0 latest=now $selectedWebsites$ $selectedMailingLists$ |
fields ListId, List_name ] |
eval Date=strftime(eDate, "%Y-%m-%d %I:%M %p") |
eval OpenedCount=round((DeliveredCount*0.125), 0) |
eval Delivered=(DeliveredCount - BouncesCount) |
eval OpenedCount=(OpenedCount + Clicks) |
table eDate, Date, Subject, List_name, DeliveredCount, Bounced, Delivered, OpenedCount, Clicks |
sort -eDate | fields - eDate]]>
</param>
<param name="earliest">$multiValueTimeRange[0]$</param>
<param name="latest">$multiValueTimeRange[1]$</param>
<module name="Paginator" layoutPanel="panel_row1_col1">
<param name="entityName">results</param>
<param name="count">50</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="allowTransformedFieldSelect">True</param>
<param name="drilldown">none</param>
<param name="entityName">results</param>
<param name="count">50</param>
<module name="Gimp"/>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
... View more