Is there a way to use the same index and sourcetyp...

athorat · ‎07-14-2015

Hi ,

We have many dashboards where they have more than 10 panels and each panel has it own search string. The common aspect in all the searches is indexn and sourcetype.

When the dashboard is refreshed, I think it runs 10 searches from each panel. Instead of doing this, is there a way we can use the index and sourcetype once and run the rest of the part locally?

Two sample searches:

index=prod sourcetype="HADOOP:PROD:STORM" ">> WMQSpout Contract :: nextTuple :: Contract :: Emiting Message ID :" | stats count
index=prod sourcetype="HADOOP:PROD:STORM" ">> WMQInput  Contract :: nextTuple :: Contract :: Emiting Message ID :" | stats count

pradeepkumarg · ‎07-14-2015

If you are running recent versions of Splunk, you can use global search and then do post process

A dashboard can contain one or more global elements that drive the data displayed in the dashboard. The elements can contain one or more elements that drive the data in each panel.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/PanelreferenceforSimplifiedXML

aljohnson_splun · ‎07-14-2015

Post-process searches

Sometimes you end up with a dashboard running searches that are similar. You can save search resources by creating a base search for the dashboard. Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.

Typically, the global search is a transforming search. A transforming search uses transforming commands to transform event data returned by a search into statistical data tables. See transforming commands and searches in the Search Manual.

Post-process limitations

Post-process searches have limitations.

If the base search is a non-transforming search, Splunk Enterprise retains only the first 10,000 events returned. The post-process search does not process events in excess of this 10,000 event limit, silently ignoring them. This results in incomplete data for the post-process search. A transforming search as the base search helps avoid this limitation.
If the post-processing operation takes too long, it can exceed Splunk Web client’s non-configurable timeout value of 30 seconds. This can result in a timeout due to an unresponsive splunkd daemon/service. This scenario typically happens when you use a non-transforming search as the base search.

The topic Post-process examples provides guidance on constructing post-process searches.

FROM HERE

Example

<dashboard>
  <label>Dashboard with post-process search</label>

  <!-- Base search cannot pass more than 10,000 events to post-process searches-->
  <!-- Example uses stats transforming command -->
  <!-- This limits events passed to post-process search -->
  <search id="baseSearch">
    <query>
      index=_internal source=*splunkd.log | stats count by component, log_level
    </query>
  </search>

 <row>
    <panel>
      <chart>
        <title>Event count by log level</title>

        <!-- post-process search -->
        <search base="baseSearch">
          <query>
            stats sum(count) AS count by log_level
          </query>
        </search>

      </chart>
    </panel>
    <panel>
      <chart>
        <title>Error count by component</title>

        <!-- post-process search -->
        <search base="baseSearch">
          <query>
            search log_level=error | stats sum(count) AS count by component
          </query>
        </search>

        <option name="charting.chart">bar</option>
      </chart>
    </panel>
  </row>
</dashboard>

FROM HERE