How To Load Dashboard Faster Using “Base Search”
Hello, Toady in this blog we are going to implement the usage of “Base Search” to make your dashboard faster than ever before.
In Splunk, there are few types of searches available to populate search result or visualization as a form of dashboards those are,
1. Inline searches 2. Reference report searches 3. Post-process searching 4. Pre-built panels searches 5. Pivot generating searches and many more.
Among these searches, our point of discussion will be “Post-process searches” . Often you will find there are several searches similar to each other in one dashboard. That’s mean the same kind of searches is running more than once to populate different search result. This will make Splunk do extra work. That’s why concept of “base search” came in the picture which is also known as “Post Process searches in Splunk”
A normal dashboard can contain numerous panels according to the conditions and each of the panels will have a different search query.
Now take a look at those things which make your dashboard slow.
1. “Search is waiting for input” – This is a normal message you will find on panels every time when you launch your dashboard. This message is due to the tokens that you created for different inputs. Those tokens take time to pass through the panels. This is the first case which makes our dashboard slow.
2. Each panel contains different search queries– Suppose you have five panels in your dashboard and each panel contains different search query and it should. Now each query will load one by one if one query took 5 seconds to load then it will take 25 seconds to load the complete dashboard (approx. It can be varied based on a query).
In this blog, we will work on the base search. Lets say we are having multiple panels in a dashboard and it will take a lot of time to load. That will create a bad impression on your client. By using the base search, the complete dashboard will load simultaneously and faster.
We have a dashboard named as “New_Demo_Dashboard” with three different panels and a “text input”.
In each of these three panels, we have three different queries like this.
1st Panel – index=”_internal” sourcetype=”splunkd_ui_access” $text_token$ |top status |head 1
2nd panel – index=”_internal” sourcetype=”splunkd_ui_access” $text_token$ |top method |head 1
3rd Panel – index=_internal sourcetype=splunkd_ui_access $text_token$ |table method status file bytes uri_path | search |dedup file
Here $text_token$ is the token for text input.
As you can see in these three panels are having a common portion i.e “index=_internal sourcetype=splunkd_ui_access $text_token$” , so we will make this portion as our base search.
So click Edit and then click on Source .
Now make the following changes as shown.
At first, at the top create a “search” tag and define an “id”. Within the “query” tag write the common portion of the query from the three panels with table command ( or fields command ) where all the fields name will be there (fields which are used somewhere in the dashboard). Then mention the earliest and latest time it will apply for all the panels and mention “sampleRatio” as 1.
Now go to panels one by one and make these changes.
On each panel pass the “id” that we have defined in the previous step like “base=<id>” inside the search tag. Then in the query tag remove the common portion of the query as base search and write “search” before the query.
Also, remove the earliest, latest, and sampleRatio tags from each panel. Because those are already mentioned in the base search.
Save it and now load the dashboard; you can see that the dashboard is loading more faster than earlier.
Because now Splunk will not run the queries 3 times. It will run the query only one time and will distribute the results among the other panels.
I hope now you can create / load a dashboard faster without any headache.