Monitoring Splunk

[Performance] Fastest way to get a list of all values for a field

timmalos
Communicator

Hi.
I use a lot of SearchSelectLister modules in my dashboard.
Users select values to refine a search.
For example they first select an host, and with this host they select a sourcetype etc...
I have a lot of SearchSelectLister and ConvertToIntention nested and its works well.

My problem is that the first searches take a long time since the search is heavy whereas I would like only all values in a field.

For example my scripts look like:

<module name="SearchSelectLister" layoutPanel="mainSearchControls">
    <param name="settingToCreate">setting</param>
    <param name="searchWhenChanged">True</param>
    <param name="applyOuterIntentionsToInternalSearch">True</param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>
    <param name="search">index="infra_storagearea" host=$vsp$ sourcetype=vspLU |dedup LUN| table LUN|sort LUN</param>

Here im looking for all values of a field LUN with a certain host that I got from a previous Select. Im obligated to put earliest=-1h or the search takes more than 30 sec and on a dashboard its too long, but Im not sure to have all values. I would have earliest=4h if possible.

Is this search better? Is there any better way?

index="infra_storagearea" host=$vsp$ sourcetype=vspLU |stats count by LUN| table LUN|sort LUN
0 Karma
1 Solution

timmalos
Communicator

The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.

Hence you have to search for |importlookup File.csv in the SearchSelectLister.

However, if you have to go with search, the best way is to use |stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.

View solution in original post

0 Karma

timmalos
Communicator

The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.

Hence you have to search for |importlookup File.csv in the SearchSelectLister.

However, if you have to go with search, the best way is to use |stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, Lookup will be the best solution for static values/dropdown list type of values. However, if you have to go with search, the best way is to use "|stats count by LUN | fields - count". Data is automatically sorted by LUN and comes as tabular form using stats.

adityapavan18
Contributor

Yes you can use lookup tables,which will be faster. Hardcoding them in the advanced xml is much faster but it will require the advanced xml edit everytime new value wil be added.

0 Karma

timmalos
Communicator

Maybe 'll use some lookups tables, seems for me the best solution for this case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...