How to make Loading Dashboard Fast with Base Search in Splunk
This article explains how to implement the usage of “Base-Search” which makes your dashboard Loading Dashboard Fast with Base Search. With Splunk, there are limited kinds of searches that are accessible to populate visualization or search-result as a kind of dashboards that are
- Pre-built panels-searching
- Reference report-searching
- Post-process searching
- Inline searching
Pivot generating searching & more others
Among the searches, the point of debate is “Post-process searching”. Often you’ll find that there are numerous searches that are the same as every other in a single dashboard. This means that similar kind of searches is operating more than one time to populate various search result. This makes Splunk do more work. That is why the idea of “base-search” came in which is understood as “Post-Process searches at Splunk”
A normal dashboard can have more panels according to conditions & each of these panels will have various search queries.
Let’s have a look at things that makes one dashboard slow
- “Search is waiting for for-input”
This normal message will always be available on panels immediately when one launches a dashboard. This text is due to tokens that you made for various inputs. The tokens take time to pass via the panels. Furthermore, this is the 1st case that makes a dashboard slow.
- Every panel has various search queries
Suppose you’ve 5 panels in a dashboard & every panel has various search queries & it should. Moreover, every query will be loaded one by one if a single query can take five seconds to load Therefore, it will require 25 secs to load the full dashboard.
With this blog, we will operate on base-search. Let’s say we’re having numerous panels on the dashboard & it will need more time to load. This will form a bad impression on your client. Using base search, a full dashboard will load concurrently & quicker.
We have a dashboard referred to as “New_Demo_Dashboard” and have 3 various panels & some “text input”.
In any of the 3 panels, we’ve 3 various queries which are.
In this case $text_token$ refers to token for text-input.
As seen in the 3 panels we have a shared portion which is “index=_internal sourcetype=splunkd_ui_access $text_token$”. Thus we’ll make the portion as a base search.
Hence click on Edit & then click on Source.
After that, you can make other changes like displayed.
Create a “search” tag at the top & describe an “id”. Within a “query” tag write a common portion of a query from three panels which has fields command or table command. Remember that all the fields-name needs to be there. After that mention the latest and the earliest time which will apply for every panel & mention a “sampleRatio” as number one.
Now move to the panels one-by-one & make some changes.
Finding The Current Size & Total Event-Count Of Any Index at Splunk
With this blog, you will learn how to find the current size & total-event count of every index at Splunk.
The command below needs to run in the search bar.
Outcomes
The above outcomes in the title, total event count, currentDBSizeMB fields we’re getting index names, present memory space utilized by index & total events count by a particular index correspondingly.
With the help of base search, I want to prepare a dashboard where can get the display of different applications installed in the network respectively. e.g. no of Chrome, Mozilla, Skype , etc in different panels.
Filtering search query likely Product_name = “Chrome” OR Product_name=”Skype”
Note: Using — instead of html tag as it is not allowing while posting this post. Thanks for understanding.
--search id="product_name> “index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.) | dedup host, ProductName | stats count --/search>
and the main query:
--search base="product_name"> --query> stats count --/query> --/search>
