I'm trying to make a view/dashboard that contains a lot of panels showing different views of basically the same search. This search is quite heavy, and takes a long time, as it analyses GBs of data looking for transactions.
I am currently using four panels on my view, and each panel runs its own instance of the search, differing slightly only with the final piped search commands (count of all transactions, timechart average duration, timechart max duration, and a table listing all transactions with duration greater than 2).
I understand I could reuse the search text using a macro, but what I want to use is the actual results of the underlying search passed through transaction, and then have each of the different view panels use the underlying transaction results, and only apply its own trailing commands to transform the data as required.
It seems wrong to have to run such a heavy search multiple times, overloading the Splunk server unneccessarily, when all I need to do is apply a couple of different things to the results. Independently of the transaction search, these would complete very quickly.
What do I need to do to achieve this?
As others have noted, "searchPostProcess" in Simple XML (and "HiddenPostProcess" in Advanced XML) do what you ask. However, you should be aware that currently (version 4.1.4) only up to 10,000 results/events will be passed from the base search to any postprocessing search, so if your base search returns more than this, it won't be terribly useful.
Sure. What you're looking for is 'searchPostProcess'. The best way to understand this is to get the "UI Examples for 4.1" application from splunkbase. The specific technique you want is shown in the dashboard called "Using postProcess on Dashboards" under the "Advanced XML" tab.
I think the best help here is to refer you to these docs pages:
The former makes examples with forms and simple views, the latter uses advanced views. In both cases you basically define a master search outside of the "panels" and then you apply postprocessing to its results inside of each panel.
Beware of a current bug which prevents some kinds of panel to corectly treat the postprocessing in the "simple" mode. There are some infos on this bug at this page: Splunk Forum: hiddenPostProcess