Dashboards & Visualizations

Splunk scheduled report filtering and dashboard panels

mbasharat
Contributor

Hi,

I have a scheduled report in Splunk that runs nightly. It is accelerated for 7 days and runs back in time for 7 days also.

This report provides me comprehensive information about all my assets and respective information.

The report has about 10 million statistical records for our assets as we need.

When I reference my dashboard panels using this report, they error out complaining about "error fetching data" and it seems like it a huge data set thats why because it is fine with smaller data set. But when I open a report as normal in reports, it loads in less than 5 seconds.

I need to know if I add a report in a dashboard as a table, which I do, BUT is it possible to add dropdown filter menus to parse information from that huge report table or even the report by itself? OR how do I get the dashboard panels to load quicker when digging through this large report?

Report contents example:

Host, Barcode, Company, BusinessUnit, Location, ContactPerson

I want filters for Company, BusinessUnit, Location, ContactPerson so I can list Host, Barcode information associated with the selection from this huge data.

Thanks in-advance.

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Where is the result of your accelerated report stored? Is that in an index or CSV file? In the dashboard, you can have a time picker to restrict the time range and additional fields to load by default [ as required]. Based on the filters selected by user, you can run the search against your index/lookup. If you have multiple panels, use base and post process search approach.

And if you still suffer with performance, you might want to look at creating a custom datamodel and storing the results/fields and use DM acceleration to get additional benefits and use tstats in your dashboards for performance.

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Where is the result of your accelerated report stored? Is that in an index or CSV file? In the dashboard, you can have a time picker to restrict the time range and additional fields to load by default [ as required]. Based on the filters selected by user, you can run the search against your index/lookup. If you have multiple panels, use base and post process search approach.

And if you still suffer with performance, you might want to look at creating a custom datamodel and storing the results/fields and use DM acceleration to get additional benefits and use tstats in your dashboards for performance.

0 Karma

mbasharat
Contributor

Hi Lakshman, I figured a way via base and post process. Still taking long but a lot better than before! 🙂 TY!!

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Glad it worked, pls accept the solution to close the thread. I also suggest to look at having a custom datamodel created for your use case with required fields and accelerate it, so you can use tstats to further improve performance.

0 Karma

mbasharat
Contributor

Will do. THX!!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...