Dashboards & Visualizations

Multiple dependency dropdown menus are too slow - How can I make my dropdown menus populate faster?

asherman
Path Finder

Hi,

I have a dashboard that depends on a number of dropdown menus. These dropdown menus filter each other (e.g., if I pick a 'version', the 'build' dropdown menu will filter based on the builds available for that version). The menus all have the same initial search, but there doesn't seem to be a way to create a searchTemplate that is only for use by the dropdown menus (please correct me if this is wrong).

The issue my users are reporting is that the dropdown menus take a while to populate - sometimes it seems longer than the main search. This is because of this staircase-esque nature to the dropdowns where selecting one refreshes others (even if the selection in that dropdown won't change).

One option I would like is the ability to type in an option to the dropdown menu independent of whether or not that term shows up (or has shown up yet) in the populating search. This would allow users to specify options they know exist while waiting for the dropdown to populate. Currently, no typing area is available until enough results are found to create a scrollbar (I would prefer there to always be one when the menu is clicked).

However, I am wondering if there is a better way to do this all together. There are enough possible settings of the dropdown menus (and more come in every day) that I do not think saved searches are the way to go, even though many of these searches are repeated or almost repeated.

I also have all the dropdown menu data stored in its own index (this is done offline - setting up a dropdown index that accurately reflects the data in the main indexes).

Excerpt from my dashboard:

  <fieldset autoRun="true" submitButton="false">
    <input type="dropdown" token="index" searchWhenChanged="True">
      <choice value="_official">Official</choice>
      <choice value="_official OR index=_standard">All</choice>
      <choice value="_standard">User</choice>
      <label>Data</label>
      <default>Official</default>
    </input>
    <input type="dropdown" token="version" searchWhenChanged="True">
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="version" fieldForLabel="version">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard")| table search] | dedup version | table version</populatingSearch>
      <label>Version</label>
      <default>23</default>
   </input>
   <input type="dropdown" token="build" searchWhenChanged="True">
      <populatingSearch fieldForValue="build" fieldForLabel="build">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ | dedup build | table build | sort + build | reverse</populatingSearch>
      <choice value="*">All</choice>
      <default>*</default>
      <label>Build</label>
   </input>
   <input type="dropdown" token="family" searchWhenChanged="True">
      <populatingSearch fieldForValue="family" fieldForLabel="family">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ | dedup family | table family | sort + family</populatingSearch>
      <choice value="*">Any</choice>
      <default>Main</default>
      <label>Family</label>
   </input>
   <input type="dropdown" token="device" searchWhenChanged="True">
      <populatingSearch fieldForValue="device" fieldForLabel="device">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ (family="$family$") | dedup device | table device | sort + device</populatingSearch>
      <choice value="*">Any</choice>
      <default>Main</default>
      <label>Device</label>
   </input>
   <input type="dropdown" token="bin" searchWhenChanged="True">
      <choice value="primary">Primary</choice>
      <populatingSearch fieldForValue="bin" fieldForLabel="bin">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ (family="$family$") (device=$device$) | dedup bin | table bin</populatingSearch>
      <label>Bin</label>
      <default>Primary</default>
    </input>
    <input type="dropdown" token="corner" searchWhenChanged="True">
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="corner" fieldForLabel="corner">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ (family="$family$") (device=$device$) | dedup corner | table corner</populatingSearch>
      <label>Corner</label>
      <default>900mv_100c</default>
    </input>
    <input type="dropdown" token="voltage" searchWhenChanged="True">
      <populatingSearch fieldForValue="voltage" fieldForLabel="voltage">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ corner=$corner$ (family="$family$") (device=$device$) | dedup voltage | table voltage | sort + voltage</populatingSearch>
      <choice value="*">All</choice>
      <label>Silicon Voltage (mv)</label>
      <selectFirstChoice>true</selectFirstChoice>
      <default>900</default>
    </input>
    <input type="dropdown" token="temp" searchWhenChanged="True">
      <label>Silicon Temperature (celsius)</label>
      <choice value="*">All</choice>
      <selectFirstChoice>true</selectFirstChoice>
      <populatingSearch fieldForValue="temp" fieldForLabel="temp">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ corner=$corner$ (family="$family$") (device=$device$) | dedup temp | table temp | sort + temp</populatingSearch>
      <default>100</default>
    </input>
    <input type="dropdown" token="group" searchWhenChanged="True">
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="group" fieldForLabel="group">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ corner=$corner$ (family="$family$") (device=$device$)  | dedup group  | table group | sort + group</populatingSearch>
      <label>Group</label>
      <default>*</default>
    </input>
    <input type="dropdown" token="name" searchWhenChanged="True">
      <choice value="*">All</choice>
      <populatingSearch fieldForValue="name" fieldForLabel="name">index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard") | table search] version=$version$ build=$build$ corner=$corner$ (family="$family$") (device=$device$) group=$group$ | dedup name | table name | sort + name</populatingSearch>
      <label>Design</label>
      <default>*</default>
    </input>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Few things in your searches that may improve the performance of your dropdown load

  1. All your dropdown searches are running for "All Time" timerange. I would suggest to limit this to a specific range, if possible. You have options to specify earliest and latest at populating search level. E.g. for last 30 days

  2. Instead of using "dedup" along with "table" and "sort", you can just use stats which does the same thing and is much faster. e.g.

    index=[| gentimes start=-1 | eval search=if("$index$"="_official","_dropdown","_dropdown_standard")| table search] | stats count by version

You have mentioned version as fieldForValue and fieldForLabel anyways so no need to specifically mentioning a table command. The stats does sort the values in ascending order so you can remove all "sort +" items.

asherman
Path Finder

The time range is tricky since it would depend on the selection of version/build. Is there a way of dynamically setting that based on the timestamp of an event? I.e., the range would be +/- 5 days of a build or +/- 180 days of a version, etc.

0 Karma

lguinn2
Legend

Actually, you can use populatingSavedSearch. Here is the spec:

<populatingSavedSearch fieldForValue="[field name]" fieldForLabel="[field name]"> 
    [report name]
</populatingSavedSearch> 

If report name is a scheduled search that runs periodically (maybe once a day would be enough?), then I think that Splunk will take the most recent cached report results. That would make this significantly faster.

It would be worth trying...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...