Dashboards & Visualizations

How to use tokens in a dynamic saved search?

chrisdopuch
Path Finder

Hello,

I am trying to make a saved search dynamic. It is used on a dashboard, and by default it shows all sources with a time range of today. Performance is fine for this, but when I select a time range larger (a week for example) it is very slow. I have a source picker which filters the results of the saved search (inside of some post process searches), but what I want to do is actually modify the query itself. This way, I can pick a source and search for a longer time range quickly. Tokens would be the easiest way to do this, but I don't know if it can be done.

Thanks!

0 Karma

lguinn2
Legend

First, I don't think that you can do what you want with tokens. Second, based on the description, I am not sure that the problem is in the dashboard anyway.

Does the search run longer when it isn't part of the dashboard? Try running the report with various time ranges and use the search job inspector to look at the performance.

If you can't easily figure out the underlying search performance issue, you might look at report acceleration...

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can use tokens in a saved search on a dashboard as well. Add $foo$ tokens to your saved search, and use this inline search on the dashboard to connect the dashboard's token with the saved search:

<searchString> | savedsearch saved_search_name foo=$foo$ </searchString>

qxu5715
Explorer

Hallo Herr Müller,

könnten Sie dieses Beispiel vll etwas näher erläutern bzw. an einem Beispiel veranschaulichen? Ich versuche ähnliches Problem wie oben beschrieben zu lösen, jedoch ohne Erfolg.

Gibt es einen Unterschied, wenn man seinen Token mittels $foo$ aufruft oder einen anderen Namen nutzt ($token_name$)?

Thx und VG

0 Karma

fabiocaldas
Contributor

Thanks martin_mueller, your anwser helped a lot !!

0 Karma

lguinn2
Legend

Perhaps you should share the actual search and the community might have suggestions for optimizing it.

0 Karma

lguinn2
Legend

If you change the dashboard to an inline search, yes, you can use tokens. You can use a variety of inputs, especially in Splunk 6.

But I am not sure why you believe that this will make your search run faster in the dashboard.

0 Karma

chrisdopuch
Path Finder

I have run the search outside of the dashboard, and it is still slow. For example, running the search outside the dashboard for a week time range returns ~80,000 results in 27 seconds, which is comparable to the time it would take in the dashboard.

I am currently using search acceleration already, for a range of 3 months.

I am positive I can do what I want with tokens in an inline search. Do you mean to say that I cannot create a dynamic saved search using tokens or some other method?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...