![]() ![]() ![]() And repeat your search for timechart panel. I would suggest creating a base search for all panels, except the timechart panel. | chart count by deviceModel useother=false | chart count by versionAndDevice useother=false | eval versionAndDevice=appVersion+" ("+deviceType+")" Timechart dc(fullUserName) as "Unique Users" I really appreciate the quick responses, and I hope you can help us get to a good pattern we can follow with other dashboards we are working to create. | chart - Sure, here is the whole dashboard (slightly modified, to protect the innocent! ). | fields eventName,userId,tenantId,eventTime,metaData,userType,deviceId,deviceModel,deviceOS,appVersion,deviceType,fullUserName | eval deviceType=if(like(deviceOS,"Android%"),"Android","iOS") | spath input=checkPoint output=appVersion path=Version | spath input=checkPoint output=deviceOS path=DeviceOS | spath input=checkPoint output=deviceModel path=DeviceModel | spath input=checkPoint output=deviceId path=DeviceId | spath input=metaData output=userType path=USER_TYPE build an accelerated datamodel containing the results and query Splunk with filters and/or any aggregation commands applied to the datamodel, so you are only pulling a smaller set of results out. | spath input=checkPoint output=metaData path=MetaData cache the loaded job in a database outside of Splunk and poll it from there. | spath input=checkPoint output=eventTime path=EventTime | spath input=checkPoint output=tenantId path=TenantId Use the map command to loop over events (this can be slow). The foreach command loops over fields within a single event. Most search commands work with a single event at a time. | spath input=checkPoint output=userId path=UserId Rows are called events and columns are called fields. | where match(eventName,"TYPE1") or match(eventName,"TYPE2") | spath input=checkPoint output=eventName path=EventName Time sourcetype=mySource $tenantid_tok$ NOT CrashReport NOT ErrorReport ("TYPE1" OR "TYPE2") I'm trying to figure out if I'm doing something wrong? Or should I not use base queries at all - as they seem to constantly cause performance issues? If I trim down results to just the last 2 weeks (instead of the last month), I get around 45,000 results, and the dashboard load only takes up 7MB. Just turning that 1 search into a 1 panel dashboard using a base search got same number of results, but took up 83.66 MB. However, it appears that using base searches throughout a dashboard (1 search, but used in all the panels) almost causes an exponential increase in the size of the search - which causes the search to prematurely terminate.ĭoing a straight search for one of the panels got: 98,803 results, and took up 0.29 MB. To make the dashboards as performant as possible, I'm using base searches. Working on making dashboards to help report on activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |