Dashboards & Visualizations

SearchPostProcess within Dashboard

mcwomble
Path Finder

Hi,

I have created a dashboard which is too intensive with it's searches. Each search is effectively reading fields form the same line. In order to alleviate this loading I have created form with a search template and related postprocessing searches, which works well and reduces the load time of the dashboard.

However this creates some strange behaviour in that the <earliestTime> tag seems to be ignored and graphs only show the last 6 hours.

Also is it possible to use postprocessing searches (preferably non-dynamic) within a dashboard? Replacing the <form> tags with <dashboard> results in blank graphs, which I assume is caused by the lack of user input in the <fieldset> component.

Excerpt from the form is as follows:

<form>

  <label>order dashboard</label>

   <fieldset  autoRun="true">
    <input type="time">
     <default>Last 30 days</default>
     <seed>Last 30 days</seed>
    </input>

  </fieldset>

   <searchTemplate>index="c3" source="*submitted_order_count.log" OR source="*failed_order_count.log" | fields source, _time, orderType, paymentType, count</searchTemplate>

<row>
    <single>
      <searchPostProcess>search source="*submitted_order_count.log" AND (paymentType="Postpay" OR paymentType="Prepay") | head 2 | stats sum(count) as total | rangemap field=total low=0-199 severe=400-4000 elevated=200-399</searchPostProcess>
      <title>Current number of 'Submitted' orders</title>
      <earliestTime>-30m</earliestTime>
      <option name="afterLabel">'Submitted' orders</option>
      <option name="classField">range</option>
      <option name="field">total</option>
    </single>
</row>

 <row>
    <chart>
      <title>Submitted orders by type</title>
      <searchPostProcess>search source="*submitted_order_count.log" orderType!="" | timechart avg(count) by orderType limit=0</searchPostProcess>
      <option name="charting.chart">area</option>
      <earliestTime>-28d</earliestTime>
      <option name="Height">400px</option>
      <!--<option name="charting.legend.placement">bottom</option>-->
      <option name="charting.legend.labelStyle.maximumWidth">75</option>
      <option name="charting.primaryAxisTitle.text">time</option>
      <option name="charting.secondaryAxisTitle.text">Number of orders in 'Submitted' state</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
</form>
Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

One problem you will have is that only 10,000 events/results from the original search will be saved and passed to the searchPostProcessing command. Is this likely to be a problem?

View solution in original post

rahulrawlani
Explorer

I worked with one such use where I used searchTemplate and then used searchPostProcess for following queries. I could achieve best performance by limiting my time range defaulting to like 5 mins. It seems 30 days as default in your case seems too large as it could result in huge number of records while aggregating.

  <default>
    <earliestTime>rt-5m</earliestTime>
    <latestTime>rt</latestTime>
  </default>
</input>
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

One problem you will have is that only 10,000 events/results from the original search will be saved and passed to the searchPostProcessing command. Is this likely to be a problem?

mcwomble
Path Finder

Yep, this could potentially limit the history of my searches. However, for my particular search there are only 1440 events a day (1 per minute), so I would have expected a longer history than I am seeing.

This might not be such a big issue as I can always run a seperate search for anything over a week and I could reduce the amount of individual queries substantially.

With this in mind is it possible to use subsearches within the dashboard as the

tags seem to cause problems i.e lack of user interaction or defining of a search field results in blank charts.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...