Splunk Search

Dashboard panels with depends attribute still execute search with display?

wang
Path Finder

I am building a dashboard that has multiple panels and some searches are slow. So I added an input checkbox to control whether to show/hide the slow panels and added the "depends" attribute in the slow panels.

While the display is correctly show/hide the slow panels, my question is does the "depends" attribute also prevents the slow search to be executed? What I really want is to NOT have the slow search to be execute at all if the checkbox is not checked.

When I toggle the checkbox, the slow panels are shown immediately (i.e. not waiting for search results) so it appears that while the slow panels are NOT displayed by default, the associated searches are still being executed "behind the scene" by default.

Is there anyway to NOT execute the slow query until selected?

Tags (2)
0 Karma
1 Solution

niketn
Legend

@wang you can create token from Checkbox in a way that same token is also used in the panel search which is depended on the checkbox.

1) First option is to have token from checkbox set in a way that it can be added to the base search itself.
2) Second option is to use the token in the search query after the final pipe. Set a dummy field with token value and then use field - to remove the dummy field afterward.

alt text

alt text

Following is a run anywhere search based on Splunk's _internal index explaining both options:

<form>
  <label>Prevent background search for hidden panels</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="tokLogLevel">
      <label></label>
      <choice value="log_level!=&quot;INFO&quot;">Show Pie Chart</choice>
    </input>
    <input type="checkbox" token="tokShowTimeChart" searchWhenChanged="true">
      <label></label>
      <choice value="true">Show Timechart</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1 - Use Token in Base Search</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd $tokLogLevel$ component=*
| top component showperc=f</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2 - Add dummy field in final result to add token dependency and then remove</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" component="*"
| timechart count by component limit=10 useother=f
| eval dummyTokenToPreventSearch="$tokShowTimeChart$"
| fields - dummyTokenToPreventSearch</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

PS: In order to show the behavior in sample dashboard, I have not used the tokens in depends attribute to hide panels when the searches are waiting for input.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

wang
Path Finder

I figured out how to correctly safe the original timestamps:

<input type="time" token="time_range" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-5m</earliest>
    <latest>now</latest>
  </default>
  <change>
    <condition match="isnum($time_range.earliest$) OR isnum($time_range.latest$)">
      <eval token="start_timestamp">$time_range.earliest$</eval>
      <eval token="end_timestamp">$time_range.latest$</eval>
    </condition>
    <condition>
      <eval token="start_timestamp">relative_time(now(), $earliest$)</eval>
      <eval token="end_timestamp">relative_time(now(), $latest$)</eval>
    </condition>
  </change>

Then I can use the start_timestamp and end_timestamp in my delayed search.

0 Karma

niketn
Legend

@wang I am glad you figured it out on your own. Following is one of my previous answers with two approaches to get the epoch time Time Picker: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wang
Path Finder

Implemented Option 2 and it works well!

One minor issue is that if the time picker window is relative like -10m (last 10 mins) and the checkbox for the hidden panel/searche is clicked 5 mins after the initial display for the dashboard, the time window for the hidden search is different from the original time, i.e. deplayed by 5 mins.

How can I capture the time window when the main dashboard is displayed and use that for the hidden search?

I tried saving info_min_time and info_max_time in variables:

| eval start_timestamp = info_min_time | eval end_timestamp = info_max_time

and reuse them in the hidden search by setting earliest and latest but it's not working.

How do I pass the original time stamp to the delayed search?

0 Karma

niketn
Legend

@wang you can create token from Checkbox in a way that same token is also used in the panel search which is depended on the checkbox.

1) First option is to have token from checkbox set in a way that it can be added to the base search itself.
2) Second option is to use the token in the search query after the final pipe. Set a dummy field with token value and then use field - to remove the dummy field afterward.

alt text

alt text

Following is a run anywhere search based on Splunk's _internal index explaining both options:

<form>
  <label>Prevent background search for hidden panels</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="tokLogLevel">
      <label></label>
      <choice value="log_level!=&quot;INFO&quot;">Show Pie Chart</choice>
    </input>
    <input type="checkbox" token="tokShowTimeChart" searchWhenChanged="true">
      <label></label>
      <choice value="true">Show Timechart</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1 - Use Token in Base Search</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd $tokLogLevel$ component=*
| top component showperc=f</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2 - Add dummy field in final result to add token dependency and then remove</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" component="*"
| timechart count by component limit=10 useother=f
| eval dummyTokenToPreventSearch="$tokShowTimeChart$"
| fields - dummyTokenToPreventSearch</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

PS: In order to show the behavior in sample dashboard, I have not used the tokens in depends attribute to hide panels when the searches are waiting for input.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...