Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SearchPostProcess within Dashboard

mcwomble
Path Finder
‎07-27-2010 02:57 AM

Hi,

I have created a dashboard which is too intensive with it's searches. Each search is effectively reading fields form the same line. In order to alleviate this loading I have created form with a search template and related postprocessing searches, which works well and reduces the load time of the dashboard.

However this creates some strange behaviour in that the <earliestTime> tag seems to be ignored and graphs only show the last 6 hours.

Also is it possible to use postprocessing searches (preferably non-dynamic) within a dashboard? Replacing the <form> tags with <dashboard> results in blank graphs, which I assume is caused by the lack of user input in the <fieldset> component.

Excerpt from the form is as follows:

<form>

  <label>order dashboard</label>

   <fieldset  autoRun="true">
    <input type="time">
     <default>Last 30 days</default>
     <seed>Last 30 days</seed>
    </input>

  </fieldset>

   <searchTemplate>index="c3" source="*submitted_order_count.log" OR source="*failed_order_count.log" | fields source, _time, orderType, paymentType, count</searchTemplate>

<row>
    <single>
      <searchPostProcess>search source="*submitted_order_count.log" AND (paymentType="Postpay" OR paymentType="Prepay") | head 2 | stats sum(count) as total | rangemap field=total low=0-199 severe=400-4000 elevated=200-399</searchPostProcess>
      <title>Current number of 'Submitted' orders</title>
      <earliestTime>-30m</earliestTime>
      <option name="afterLabel">'Submitted' orders</option>
      <option name="classField">range</option>
      <option name="field">total</option>
    </single>
</row>

 <row>
    <chart>
      <title>Submitted orders by type</title>
      <searchPostProcess>search source="*submitted_order_count.log" orderType!="" | timechart avg(count) by orderType limit=0</searchPostProcess>
      <option name="charting.chart">area</option>
      <earliestTime>-28d</earliestTime>
      <option name="Height">400px</option>
      <!--<option name="charting.legend.placement">bottom</option>-->
      <option name="charting.legend.labelStyle.maximumWidth">75</option>
      <option name="charting.primaryAxisTitle.text">time</option>
      <option name="charting.secondaryAxisTitle.text">Number of orders in 'Submitted' state</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
</form>
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-27-2010 05:55 AM

One problem you will have is that only 10,000 events/results from the original search will be saved and passed to the searchPostProcessing command. Is this likely to be a problem?

View solution in original post

Reply
Solved! Jump to solution

rahulrawlani
Explorer
‎11-30-2016 01:18 AM

I worked with one such use where I used searchTemplate and then used searchPostProcess for following queries. I could achieve best performance by limiting my time range defaulting to like 5 mins. It seems 30 days as default in your case seems too large as it could result in huge number of records while aggregating.

  <default>
    <earliestTime>rt-5m</earliestTime>
    <latestTime>rt</latestTime>
  </default>
</input>
0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-27-2010 05:55 AM

One problem you will have is that only 10,000 events/results from the original search will be saved and passed to the searchPostProcessing command. Is this likely to be a problem?

Reply
Solved! Jump to solution

mcwomble
Path Finder
‎07-27-2010 08:52 AM

Yep, this could potentially limit the history of my searches. However, for my particular search there are only 1440 events a day (1 per minute), so I would have expected a longer history than I am seeing.

This might not be such a big issue as I can always run a seperate search for anything over a week and I could reduce the amount of individual queries substantially.

With this in mind is it possible to use subsearches within the dashboard as the

tags seem to cause problems i.e lack of user interaction or defining of a search field results in blank charts.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...