SearchPostProcess within Dashboard

Question

Hi,

I have created a dashboard which is too intensive with it's searches. Each search is effectively reading fields form the same line. In order to alleviate this loading I have created form with a search template and related postprocessing searches, which works well and reduces the load time of the dashboard.

However this creates some strange behaviour in that the <earliestTime> tag seems to be ignored and graphs only show the last 6 hours.

Also is it possible to use postprocessing searches (preferably non-dynamic) within a dashboard? Replacing the <form> tags with <dashboard> results in blank graphs, which I assume is caused by the lack of user input in the <fieldset> component.

Excerpt from the form is as follows:

<form>

  <label>order dashboard</label>

   <fieldset  autoRun="true">
    <input type="time">
     <default>Last 30 days</default>
     <seed>Last 30 days</seed>
    </input>

  </fieldset>

   <searchTemplate>index="c3" source="*submitted_order_count.log" OR source="*failed_order_count.log" | fields source, _time, orderType, paymentType, count</searchTemplate>

<row>
    <single>
      <searchPostProcess>search source="*submitted_order_count.log" AND (paymentType="Postpay" OR paymentType="Prepay") | head 2 | stats sum(count) as total | rangemap field=total low=0-199 severe=400-4000 elevated=200-399</searchPostProcess>
      <title>Current number of 'Submitted' orders</title>
      <earliestTime>-30m</earliestTime>
      <option name="afterLabel">'Submitted' orders</option>
      <option name="classField">range</option>
      <option name="field">total</option>
    </single>
</row>

 <row>
    <chart>
      <title>Submitted orders by type</title>
      <searchPostProcess>search source="*submitted_order_count.log" orderType!="" | timechart avg(count) by orderType limit=0</searchPostProcess>
      <option name="charting.chart">area</option>
      <earliestTime>-28d</earliestTime>
      <option name="Height">400px</option>
      <!--<option name="charting.legend.placement">bottom</option>-->
      <option name="charting.legend.labelStyle.maximumWidth">75</option>
      <option name="charting.primaryAxisTitle.text">time</option>
      <option name="charting.secondaryAxisTitle.text">Number of orders in 'Submitted' state</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
</form>

Accepted Answer

2

One problem you will have is that only 10,000 events/results from the original search will be saved and passed to the searchPostProcessing command. Is this likely to be a problem?

link

answered 27 Jul '10, 05:55

gkanapathy ♦
32.4k●4●8●27
accept rate: 41%

Yep, this could potentially limit the history of my searches. However, for my particular search there are only 1440 events a day (1 per minute), so I would have expected a longer history than I am seeing.

This might not be such a big issue as I can always run a seperate search for anything over a week and I could reduce the amount of individual queries substantially.

With this in mind is it possible to use subsearches within the dashboard as the <fieldset> tags seem to cause problems i.e lack of user interaction or defining of a search field results in blank charts.

(27 Jul '10, 08:52) mcwomble

SearchPostProcess within Dashboard

Follow this question

Splunk Resources

Related questions