Dashboards & Visualizations

Dashboard search optimization - only run searches when necessary?

nick405060
Motivator

Hi there,

I have a "User Activity" dashboard that has a multiselect with options "All", "Exchange", "WinEventLog", "Badge_Logs", "VPN_Logs", etc. On that dashboard there is a table that displays user activity for whatever options that are selected. Each option has a separate search associated with it that are all run when the dashboard is initially loaded. Basically I just run and append all the searches as a base search and then use the multiselect tokens in a post-process search to select which data is displayed, which is instantaneous since the base search does all the work.

My question is - is it possible to optimize this so that a search is only ran when an option is selected, and then never again ran (unless the user search or time picker has changed)? So, if "All" is selected and "Exchange" and "WinEventLog" have already been ran, then I ONLY want "Badge_Logs" and "VPN_Logs" to then run to finish filling in the data.

0 Karma
1 Solution

nick405060
Motivator

I partially solved this, in part thanks to

https://answers.splunk.com/answers/616340/is-it-possible-to-use-base-search-in-append-sub-se.html

but mostly thanks to myself. I'm able to do multiple separate base searches that feed into one, and I'm able to conditionally search based on what is selected in the multiselect. For a complete solution (so that adding another option to the multiselect will ONLY run searches that haven't already been run), you can do this by have a conditional token set where the token is only set to the ran job id if the time period has changed or the search string has changed or if the token hasn't been set to a job yet. (This is not done below).

Multiselect:

<input type="multiselect" token="sourcetypes">
  <label>Session sourcetypes:</label>
  <choice value="MSExchange:2013:MessageTracking">Exchange</choice>
  <choice value="WinEventLog">WinEventLog</choice>
  <initialValue>Exchange,WinEventLog</initialValue>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>sourcetype=#</valuePrefix>
  <valueSuffix>#</valueSuffix>
  <delimiter> OR </delimiter>
</input>

Base searches (you can have as many of these as you want. No id required. Only one shown below.):

 <search>
    <query>
| makeresults | eval searcher=if(match("$sourcetypes$","MSExchange"),"msexchange","junkindex") | map maxsearches=1000 search="search index=\"$$searcher$$\" <remainder of search>"
    </query>
    <earliest>$TIMERANGE.earliest$</earliest>
    <latest>$TIMERANGE.latest$</latest>
    <done>
      <condition>
        <set token="exchange_events">$job.sid$</set>
      </condition>
    </done>
  </search>

and table looks like:

| makeresults | append [| loadjob "$windows_events$"] | append [| loadjob "$exchange_events$"]

View solution in original post

0 Karma

nick405060
Motivator

I partially solved this, in part thanks to

https://answers.splunk.com/answers/616340/is-it-possible-to-use-base-search-in-append-sub-se.html

but mostly thanks to myself. I'm able to do multiple separate base searches that feed into one, and I'm able to conditionally search based on what is selected in the multiselect. For a complete solution (so that adding another option to the multiselect will ONLY run searches that haven't already been run), you can do this by have a conditional token set where the token is only set to the ran job id if the time period has changed or the search string has changed or if the token hasn't been set to a job yet. (This is not done below).

Multiselect:

<input type="multiselect" token="sourcetypes">
  <label>Session sourcetypes:</label>
  <choice value="MSExchange:2013:MessageTracking">Exchange</choice>
  <choice value="WinEventLog">WinEventLog</choice>
  <initialValue>Exchange,WinEventLog</initialValue>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>sourcetype=#</valuePrefix>
  <valueSuffix>#</valueSuffix>
  <delimiter> OR </delimiter>
</input>

Base searches (you can have as many of these as you want. No id required. Only one shown below.):

 <search>
    <query>
| makeresults | eval searcher=if(match("$sourcetypes$","MSExchange"),"msexchange","junkindex") | map maxsearches=1000 search="search index=\"$$searcher$$\" <remainder of search>"
    </query>
    <earliest>$TIMERANGE.earliest$</earliest>
    <latest>$TIMERANGE.latest$</latest>
    <done>
      <condition>
        <set token="exchange_events">$job.sid$</set>
      </condition>
    </done>
  </search>

and table looks like:

| makeresults | append [| loadjob "$windows_events$"] | append [| loadjob "$exchange_events$"]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...