Creating a dashboard in Splunk can be really heavy and long to load if it's not optimized.
The biggest part of the optimization is the reusage of requests.
To do it easily, Splunk implemented a search object which can be use as basis for other requests.
<search id="baseSearch">
<query>$env$ $project$ action=$action$ $typeCode_tok$
| table timestamp, etransferId, application.name, context, action, correlationId,dd.trace_id, error.code, error.text, log, _raw
| sort timestamp $sort$, time $sort$
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
Like this, a big part is already loaded and you just have to refine some elements for a particular graph.
<search id="baseSearch">
<query>$env$ $project$ action=$action$ $typeCode_tok$
| table timestamp, etransferId, application.name, context, action, correlationId,dd.trace_id, error.code, error.text, log, _raw
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<search id="baseSearchLatest" base="baseSearch">
<query>search
| stats latest() by dd.trace_id
| rename latest(error.code) AS error.code | fillnull value="emptyVal" error.code
| rename latest(action) AS action | fillnull value="null" action
| rename latest(error.text) AS error.text
</query>
</search>
I hope it will help you! 🍺
Top comments (0)