Shared searching using a base search

To affect how many searches we kick off at one time, we can ask our panels in Splunk to refer to a base search that starts when the dashboard loads. The base search is hidden; however, the results will be displayed on the panels within the dashboard and we can still use our tokens within the search as well. You will have to go into the XML to do this, but it's often worth the performance increase.

I recommend downloading an app called Splunk 6.x Dashboard Examples. This will give you a great start; you will find some great tools to help you create some basic and even more advanced dashboards.

I will be using the preceding example app and referencing the techniques in the Recursive Search Post-process section ...

Get Splunk Best Practices now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.