How to edit the base search for my dashboards?

jbrierton · ‎05-24-2017

So I have a dashboard currently that runs 6 reports to build all of it's widgets. Basically 1 per widget. The issue is that the data each widget is summing over is huge. So instead of 6 large reports I'd prefer to have 1 huge report that each widget uses.

The issue I'm having is that the base report I want looks vaguely like this:

index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") | bin _time span=5m | stats count by _time,data_type,relay,alias

So simple enough really. Just going "gimme this data", dropping it into 5m bins, then give me a big table broken down by time, data_type, relay and alias. Great.

But when I want to make a time chart off of this report in a dashboard as a base search I run into some issues. When I tried the query in just plain search I threw in

| timechart span=5m count by data_type

in the dashboard search code. It just gave back the count of different relay and aliases per time period.

I know I need to grab the count value from the stats but I'm unsure of how to do it properly.

Thanks!

jbrierton · ‎05-25-2017

Hey. Thanks everyone. Both suggestions work. The issue I'm running into now is that the 15 minute report takes 30 minutes to run. So I have to sort that out now. Thanks for your help!

DalJeanis · ‎05-25-2017

That's not the solution, then. I've edited my post to clarify that the span=5m was still part of the first search. If you didn't do that, then please try it.

If that doesn't solve your speed issue, then your options are establishing a summary index, and accelerating the search. Either one of those should do the trick in this case.

aaraneta_splunk · ‎05-25-2017

@jbrierton - I know you said that both solutions work, but please click “Accept” below the best answer to resolve this post so that others can find it easily if they're having the same issue. Please also at least upvote the other answer too 🙂 Thanks.

kamlesh_vaghela · ‎05-25-2017

Hi jbrierton,

can you please try it with 3 searches(One base search and 2 normal searches) ?

1st search (Base search):

<search id="mainBaseSearch>
<query>
index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") | table _time,data_type,relay,alias 
</query>
</search>

2nd search

<search base="mainBaseSearch">
    <query>
    bin _time span=5m | stats count by _time,data_type,relay,alias 
    </query>
    </search>

3rd search

<search base="mainBaseSearch">
    <query>
     timechart span=5m count by data_type
    </query>
    </search>

Thanks

DalJeanis · ‎05-24-2017

Best practices are to always rename a count field, because trying to refer to the prior count in a later timechart (for example) won't work, because to the later command, count means to count the new transactions.

Try something like this...

  index=theIndex data_type=raw OR (data_type=error AND error_reason="Unknown*") 
 | bin _time span=5m 
 | stats count as eventcount by _time,data_type,relay,alias 

 | timechart span=5m sum(eventcount) as eventcount by data_type

edited to clarify that the span= was still part of the first search

How to edit the base search for my dashboards?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk