Hi That worked | mstats count(_value) as total where metric_name = "*" AND index = murex_metrics Cheers   ... View more

Hi This is a great answer thanks - lots for me to think about in this one. For the record, the search normally finishes in .2 seconds. I will try to but the base searches as a transforming search  and see how it works for me. I will also look at some of the other points to see if the issue 100% goes away. The dashboard is monitoring the production system - businesses want 5 seconds to refresh rates - I think it is too much as well, but I am trying to give them what they want.   regards Robert ... View more

Hi I have added it below. I have made 3 base searches, and each of them comes from the original. I do this so we do 1 big data pull in basesearch1 and then we use filtering on no2 and no3, so the dashboard does not jump if a user clicks on a dropdown. we are doing high-frequency refresh - this is what business wants - so that might be causing the issues. This is a cutdown version of the code - but the issues could happen on any pannel. <refresh>5s</refresh> <form theme="dark"> <label>MX.3 SIGNIFICANT EVENTS</label> <search> <query>| makeresults count=1 annotate=false </query> <done> <set token="token_event_search">*</set> <!--set token="host_token">PDT</set--> <set token="app_name">MX.3_MONITORING</set> <set token="pid_token">*</set> <set token="pid_token1">*</set> </done> </search> <search> <query>| makeresults count=1 annotate=false </query> <done> <!--Set Tokens if a URL has come to re set some of the tokens to they will be visibale in the screen--> <condition match="$URL_TRAP$==&quot;SET&quot;"> <set token="form.host_token">$host_token1$</set> <set token="form.Severity_token">$Severity_token1$</set> <set token="Severity_token">$Severity_token1$</set> <set token="form.Service_Name">$Service_Name1$</set> <set token="form.pid_token">$pid_token1$</set> <set token="pid_token">$pid_token1$</set> </condition> <condition match="match($ERROR_FILTER$,&quot;true&quot;)"> <set token="form.Severity_token">"FATAL" "ERROR"</set> <set token="Severity_token">"FATAL" "ERROR"</set> </condition> <condition match="match($EVENT_FILTER$,&quot;EVENT&quot;)"> <eval token="form.time_token.earliest">$latest$</eval> <eval token="form.time_token.latest">$latest$+300</eval> <set token="form.Severity_token">*</set> </condition> <condition> <set token="Severity_token">*</set> <set token="Service_Name">*</set> </condition> </done> </search> <search id="basesearch"> <query>index="murex_logs" ```using regex as search and where are not reliable and sometimes they don't work``` | regex mx.env="$host_token$" | regex log.type="sig-event" | rename code as Code | rename otel.log.severity.text as Severity | rename _raw as Description | rename component.name as Component | rename service.name as Service_Name | rename file as evtFile | rex mode=sed field=Service_Name "s/ //g" | table _time Code Severity Description Component pid Service_Name evtFile | search pid=$pid_token$ | sort 0 - _time </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>5s</refresh> <refreshType>delay</refreshType> </search> <search base="basesearch" id="basesearch2"> <query> | search Service_Name IN ($Service_Name$) | search Severity IN ($Severity_token$) </query> </search> <search base="basesearch2" id="basesearch3"> <query> | eval Module="UNDEFINED" | join type=left Service_Name [| mstats min(mx.service.dependencies.status) as Dependencies_x WHERE "index"="murex_metrics" AND mx.env="$host_token$" span=10s BY "service.name" "service.type" used.by | sort 0 - _time | dedup service.name | rename "used.by" as Module1 | table service.name service.type Module1 | eval Module=split(Module1, ",") ```used.by which is a comma separated fields, the mvexpand is to make it a multivalue field to be able to join on each of the comma separated values``` | mvexpand Module ```remove all the services that have the used.by field empty as it will not have a related module``` | search Module != "" ```join on the Module to see what are the services that are related by dependency relation to bpc names and not only to other services ``` | join Module [ ```get all the BPC names that have configured dependencies in order to map them to the different services``` | mstats avg("mx.bpc.status") as BPC_STATUS WHERE "index"="murex_metrics" AND mx.env=$host_token$ span=10s BY "bpc.name" | dedup bpc.name | rename bpc.name as Module | table Module ] ```if there is a service that has several bpc names in its used.by, until now it will show several times in several lines with Module equal to one of the bpc names each time. The below command is to combine these bpc names into one field to have one single line with this service.name``` | stats list(*) as * by service.name service.type Module1 | rename service.name as Service_Name ```below is to convert the multivalue field module into a single value field containing the different bpc names related to this service with a whitespace delimiter``` | rex mode=sed field=Service_Name "s/ //g" | nomv Module | fields - Module1] | search Module IN ($Module_token$) </query> </search> <fieldset submitButton="false" autoRun="true"> <html> <a href="http://hp737srv:8000/en-US/app/$app_name$/pac_plo_events?form.host_token=$host_token$">Reload All</a> / <a href="http://hp737srv:8000/en-US/app/$app_name$/pacplo_production_monitoring?form.host_token=$host_token$">Back To Overall System View</a> </html> <input type="dropdown" token="host_token"> <label>HOST</label> <fieldForLabel>mx.env</fieldForLabel> <fieldForValue>mx.env</fieldForValue> <search> <query>index="murex_logs" | regex log.type="sig-event" | stats count by mx.env | sort 0 mx.env | table mx.env</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <default>dell1215srv:15017</default> <initialValue>dell1215srv:15017</initialValue> </input> <input type="time" token="time_token" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-5m</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="Severity_token"> <label>Severity</label> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>Severity</fieldForLabel> <fieldForValue>Severity</fieldForValue> <search base="basesearch2"> <query> | sort 0 - _time | table Severity | dedup Severity</query> </search> </input> <input type="multiselect" token="Module_token"> <label>Module</label> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>Module</fieldForLabel> <fieldForValue>Module</fieldForValue> <search base="basesearch3"> <query> | sort 0 - _time | table Module | dedup Module</query> </search> </input> <input type="multiselect" token="Service_Name" searchWhenChanged="true"> <label>Service_Name</label> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>Service_Name</fieldForLabel> <fieldForValue>Service_Name</fieldForValue> <search base="basesearch3"> <query>| sort 0 - _time | table Service_Name | dedup Service_Name</query> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> </delimiter> </input> <input type="radio" token="reset_filters" searchWhenChanged="true"> <label></label> <choice value="true">Reset_Filters</choice> <default></default> <change> <condition value="true"> <set token="token_event_search">*</set> <set token="form.Severity_token">*</set> <set token="form.Module_token">*</set> <unset token="code_token"></unset> <set token="form.Service_Name">*</set> <set token="pid_token">*</set> <unset token="form.reset_filters"></unset> </condition> </change> </input> </fieldset> <row> <panel> <title>Nb of events by Severity</title> <table> <search base="basesearch3"> <query>| stats count as events_Number by Severity</query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="Severity"> <colorPalette type="map">{"INFO":#4FA484,"ERROR":#DC4E41,"WARN":#F8BE34}</colorPalette> </format> <format type="color" field="events_Number"> <colorPalette type="minMidMax" maxColor="#53A051" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="form.Severity_token">$row.Severity$</set> </drilldown> </table> </panel> <panel> <title>Nb of events by Module</title> <table> <search base="basesearch3"> <query> | stats count as events_Number by Module</query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="Module"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="events_Number"> <colorPalette type="minMidMax" maxColor="#53A051" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <format type="color" field="Module"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <drilldown> <set token="form.Module_token">$row.Module$</set> </drilldown> </table> </panel> <panel> <title>Nb of events by Service_Name</title> <table> <search base="basesearch3"> <query>| stats count as events_Number by Service_Name</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="refresh.display">none</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="Service_Name"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format> <format type="color" field="events_Number"> <colorPalette type="minMidMax" maxColor="#53A051" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> <drilldown> <set token="form.Service_Name">$row.Service_Name$</set> </drilldown> </table> </panel> </row> </form>     ... View more

Hi Yes, we are running a high refresh rate in this dashboard, so the dropdown would be updating sometimes. In my case, the dashboard is refreshing in the last 1 minute. I have one base search in the dashboard and all dropdowns and pannels are linked to it. So it's a bit strange when one of them gives the errors and the other does not. Any ideas on how to fix it?   Regards Robert ... View more

Hi  Thanks for the good replay. I think you are right I will wait for things to go wrong before I try to add on optimizations. We are about to move to 8.1.9, however, I think there is a bug with the " of ingestion pipelines" not working for a few versions. I think it might only work in 8.2.4 or something like that. Thanks again Rob ... View more

hi    After reading this paper it is saying that out of the box this is not optimized, so I just want to optimize it. I don't have any specif error message at the moment, but i am also not sure if it is working as fast as it can https://www.outcoldsolutions.com/blog/2021-04-21-configuring-hec-for-performance/ ... View more