Solved: Can 1 query be used to populate multiple panels?

WhatIsSplunk · ‎08-29-2016

Background:
I created a dashboard to monitor ticket SLA times. The dashboard is slow because there are 18 single value panels and each panel has its own query. I'm looking for some way to optimize this dashboard to decrease the load time for the user and the server. I need to create similar dashboards for other departments, so I could have 8-10 of these in the end, which will increase the strain on the server. I also have a "manager" dashboard that contains the same information, but it's displayed in a table. I was able to populate the table with 1 query and a nested query, and the load time is dramatically better than the 18 individual panels.

My question:
The dashboard with the 18 panels has 18 queries that are almost identical, the only difference is the SLA time equation, which is how I was able to restructure the query in the manager dashboard. Is there some way I can run the query from the manager dashboard and display the results in the 18 panels? (I want to copy and paste the query, not reference one dashboard from another.) I've tried saving the results to tokens, using a searchTemplate and searchPostProcess, created a report and had the panels reference that report, and none of these ideas have worked. I also created a base search to have the panels reference, and while this works, it's not any faster than the separate queries. Any help is greatly appreciated. Thanks.

sundareshr · ‎08-29-2016

Yes, you can create a global search and reference that in post-process searches. Start here for more info

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/PanelreferenceforSimplifiedXML#search_element

View solution in original post

somesoni2 · ‎08-29-2016

Have you looked at post process concept? Based on your description, setting up post process for all similar queries can reduce the number of searches being run and significantly improve the performance.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/Savedsearches#Post-process_searches

Also download Splunk 6.x example app and look for Post Process example.
https://splunkbase.splunk.com/app/1603/

WhatIsSplunk · ‎08-29-2016

Hi somesoni2,
Yes, I have tried the post process concept. I created a base/global search outside all of the panels and used post process inside the panels. It doesn't return the correct results because I have to figure the SLA time and compare it to the ticket time in the post process query, and it doesn't like that; it always returns 0.

sundareshr · ‎08-29-2016

Yes, you can create a global search and reference that in post-process searches. Start here for more info

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/PanelreferenceforSimplifiedXML#search_element

WhatIsSplunk · ‎08-30-2016

I managed to find the solution to my problem. I kept tinkering with the post process concept and finally found the right keyword to put in the post process search. Here is a sample of what I used for the base search and the search in each panel.

  <search id="base">
    <query>index=tickets | eval ActDate=strptime(ActivityDate,"%Y-%m-%d") | eval SLA_Time=relative_time(now(), "-7d@d") | where AssignedTo="Team" AND Status="Open" | stats  count(eval(Class="class1" AND ActDate=SLA_Time)) AS group1 count(eval(Class="class2" AND ActDate=SLA_Time)) AS group2</query>
  </search>

Panel 1

        <search base="base">
          <query>fields group1</query>
        </search>

Panel 2

        <search base="base">
          <query>fields group2</query>
        </search>

Can 1 query be used to populate multiple panels?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!