What is Base Search? Any idea’s, if not then don’t worry that’s what we are going to understand today in this blog. Let’s first take a look at a scenario where we can use Base Search so that we can better understand about Base Search and in which situation to use it and optimize dashboard using base search.
In our dashboard if we take a closer look at the searches that is used to populate a panel/visualization, you may find that few parts of the search are very similar to one another. It means that the same search is running more than once to populate the result. What is happening because of that is Splunk is going to take more time to load the results and it can reduce the overall performance of Splunk. So, to optimize the performance of Splunk we are going to use Base Search which is also known as “Post-Process Searches in Splunk”.
For the demonstration purpose I have created three panel in a dashboard, there can be ‘n’ number of panels in the dashboard but the implementation of Base Search will be same, as explained in this blog.
Now take look at searches used to obtain the above results:
index=main sourcetype="csv" | stats count by Paymentindex=main sourcetype="csv" "Invoice ID"=* | stats count by date_month | rename date_month as Month | eval foobar_slice = count + ", " + Month | fields foobar_slice, countindex=main sourcetype="csv"| rename "Sub Category" as Sub_Category | stats count by Sub_Category | eval show = count + ", " + Sub_Category | fields show,countAs you can see there is a part of search which is common in all three i.e,
“ index=main sourcetype="csv" ”So, here we are going to use this part as a Base Search. Now, the next step will be go to your dashboard, click on edit then navigate to source and add the following into the XML code.
As you can see, we have written our Base Search after the tag. Let’s break it down and try to understand each line. In the first line we have created a tag and gave an“id” attribute to it. After that we have written our Base Search in tag, and here we have used “field=*” after our Base Search, this will extract all fields we will use in the dashboard, you can modify this part by extracting only those fields which you will use in your dashboard. And at last & will apply the time as mentioned to all the panel which depends on this base seach.
Now let’s see how we are going modify our search in the panel, before modifying our search that is populating the panel looks something like this :
We will modify this search by removing the part of search we are using for our base search and write “search” before the query. Then remove the earliest, latest & sampleRatio tag and add “base” attribute to our search tag, as shown below:
Modify the search which are using tokens, as follow
If you are still facing an issue regarding optimize dashboard using base search, Feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking>😉
