Skip to main content
Splunk® Enterprise

Splunk Dashboard Studio

Splunk® Enterprise
9.3.1
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Chain searches together with a base search and chain searches

When you use a separate search for each visualization on a large dashboard, you can use a lot of computing power. When these searches begin with the same initial SPL search sections, you can use these sections as a base search and extend it using additional, chained data source searches that will drive the same visualizations, using less computing power because the base search is only run one time for all of the visualizations. This can be done directly in the visual editor.

For example, three data sources have the following three searches which begin with the same first two search sections:
Search 1

index=_internal | stats count by status | where status < 300 | stats sum(count) as "Success"

Search 2

index=_internal | stats count by status | where status >= 400 | stats sum(count) as "Failed"

Search 3

index=_internal | stats count by status | where status >= 400 | where status < 500 | stats sum(count) as "UserError"


You can create two data sources of type ds.chain that tie them to an existing base search. For example:

Chain search 1

| where status < 300 | stats sum(count) as "Success"

Chain search 2

| where status >= 400

You can further extend a chain search by one additional search. For example:

Chain search 2a

| stats sum(count) as "Failed"

Chain search 2b

| where status < 500 | stats sum(count) as "UserError"


Create a chain search

  1. Select a visualization and click Set up a Primary data Source + in the Data Sources section of the Configuration panel.
  2. Select Create Search to create your base search.
  3. Select a second visualization and select Create a Chain Search.
  4. Use the drop down menu under Parent Search to find and select your base search.
  5. Add the SPL to create the chain search.

You can use this method to create up to 10 searches off of the base search, but you can only create 1 additional chain search by extending an existing chain search. To extend a chain search, choose the first chain search as the parent search instead of selecting your base search.

Adding comments in a chain search

Comments in chain searches have a particular behavior when handling pipes. By default, the Splunk Platform adds a pipe to the beginning of each chain search unless a user initially includes the pipe. When adding a comment, remove the pipe from the start of the chain search or include the comment after the first pipe of the chain search.

Best practices for using comments with chain searches:

The following is an example of not including a pipe at the start of the chain search:

```comment``` chart count

This is an example of how to include the comment after the first pipe of the chain search:

| ```comment``` chart count

Example

There are many different combinations you can use once you've established the base search, for example:

The base search becomes:

index=_internal | stats count by status


Search 1 is now the following: base search + Chain search 1

Search 2 is now the following: base search + Chain search 2 + Chain search 2a

Search 3 is now the following: base search + Chain search 2 + Chain search 2b

You can extend many independent chain searches from the base search, and you can extend many second level chains that use the first level chain as their primary data source, but you cannot have a third level of chains that use the a second level chain as a primary data source.

This functionality is similar to the way that you might have used post-process searches using Simple XML.

You can use tokens in both base and chain searches. Any token you create can be used in a search of type ds.chain, but time-related tokens can only be used in the base search.

You cannot specify any properties such as queryParameters, refresh , and refreshType for chain searches. These are inherited from those set in the base search, or from settings in the defaults section. When a base search is refreshed, or its SPL search is changed, the associated chain searches will also be refreshed.

An example of the anatomy of the chain search

In the following example, there are four searches. One base search and three chain searches. One chain search relies on the base search, and the other two rely on the first chain search.

Two single value visualizations and one table visualization using a base and chained searches as data sources

Expand

ds.chain example

Expand this window to see the dashboard definition of the example.

If you are using lookups in your search, make sure the lookup permissions are set to "global".

Best practices for creating chain searches

Use these best practices to make sure that chain searches work as expected.

Use a transforming base search

A base search should be a transforming search that returns results formatted as a statistics table. For example, searches using the following commands are transforming searches: stats, chart, timechart, and geostats, among others. For more information on transforming commands, see About transforming commands in the Search Manual.

Fixing search result and timeout issues

Non-transforming base searches can cause search result and timeout issues. If you observe the following issues in a dashboard, check the base search to make sure that it is a transforming search:

  • no results returned
  • event retention
  • client timeout
  • the collect command

No results returned
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the chain search using the | fields command. For example, if your chain search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.

| fields _time, categoryId, action

Event retention
If the base search is a non-transforming search, the Splunk platform retains only the first 500,000 events that it returns. A chain search does not process events in excess of this 500,000 event limit, silently ignoring them. This can generate incomplete data for the chain search.

This search result retention limit matches the max_count setting in limits.conf. The setting default is 500,000.

Client timeout
If the chain search takes too long, it can exceed the Splunk Web client timeout value of 30 seconds.

The collect command

The collect command does not work with chain searches when used in the base search.

For more information about transforming searches, see transforming commands and searches in the Search Manual.

Do not reference fields in chain searches that are not referenced in the base search

A chain search depends entirely on the fields present in the base search. If you are not referencing a particular field in the base search, do not reference it in the chain search. Fields used in transforming commands will automatically be available for chain searches. When transforming commands are not used in a base search, fields without a reference in the base search appear null in a chain search. The chain search returns no results in this case.

Utilize fewer base searches

Using fewer base searches can improve your dashboard's performance. For example, one base search is often more efficient than multiple base searches.

Limit base search results and chain complexity

Passing a large number of search results to a chain search can cause server timeout issues. In this scenario, consider adjusting the base search to reduce the number of results and fields that it returns. You can also consider reducing the complexity of chain searches on the base search results.

You can use a single chain search from a base search to generate results or you can generate multiple chain searches together.

Base and chain refresh behavior

Specific changes occurring in a base or chain will impact the refresh behavior of the base and chain. The following describes the actions that initiate a refresh on a base, chain, or both.

Description Refresh behavior
Token value changes in the base. Entire base and chain tree refreshes.
Token value changes in only the chain. No change occurs in the base. Only the chain search refreshes. The base does not refresh.
Auto refresh interval is set on a base or chain. Entire base and chain tree refreshes.
Manual refresh is triggered on a base or chain. Entire base and chain tree refreshes.
Last modified on 08 August, 2024
Create search-based visualizations with ds.search   Use reports and saved searches with ds.savedSearch

This documentation applies to the following versions of Splunk® Enterprise: 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters