Chain searches together with a base search and chain searches
When you use a separate search for each visualization on a large dashboard, you can use a lot of computing power. When these searches begin with the same initial SPL search sections, you can use these sections as a base search and extend it using additional, chained data source searches that will drive the same visualizations, using less computing power because the base search is only run one time for all of the visualizations. This can be done directly in the visual editor.
For example, three data sources have the following three searches which begin with the same first two search sections:
Search 1
index=_internal | stats count by status | where status < 300 | stats sum(count) as "Success"
Search 2
index=_internal | stats count by status | where status >= 400 | stats sum(count) as "Failed"
Search 3
index=_internal | stats count by status | where status >= 400 | where status < 500 | stats sum(count) as "UserError"
You can create two data sources of type ds.chain
that tie them to an existing base search. For example:
Chain search 1
| where status < 300 | stats sum(count) as "Success"
Chain search 2
| where status >= 400
You can further extend a chain search by one additional search. For example:
Chain search 2a
| stats sum(count) as "Failed"
Chain search 2b
| where status < 500 | stats sum(count) as "UserError"
Create a chain search
- Select a visualization and click Set up a Primary data Source + in the Data Sources section of the Configuration panel.
- Select Create Search to create your base search.
- Select a second visualization and select Create a Chain Search.
- Use the drop down menu under Parent Search to find and select your base search.
- Add the SPL to create the chain search.
You can use this method to create up to 10 searches off of the base search, but you can only create 1 additional chain search by extending an existing chain search. To extend a chain search, choose the first chain search as the parent search instead of selecting your base search.
Adding comments in a chain search
Comments in chain searches have a particular behavior when handling pipes. By default, the Splunk Platform adds a pipe to the beginning of each chain search unless a user initially includes the pipe. When adding a comment, remove the pipe from the start of the chain search or include the comment after the first pipe of the chain search.
Best practices for using comments with chain searches:
The following is an example of not including a pipe at the start of the chain search:
```comment``` chart count
This is an example of how to include the comment after the first pipe of the chain search:
| ```comment``` chart count
Example
There are many different combinations you can use once you've established the base search, for example:
The base search becomes:
index=_internal | stats count by status
Search 1 is now the following: base search
+ Chain search 1
Search 2 is now the following: base search
+ Chain search 2
+ Chain search 2a
Search 3 is now the following: base search
+ Chain search 2
+ Chain search 2b
You can extend many independent chain searches from the base search, and you can extend many second level chains that use the first level chain as their primary data source, but you cannot have a third level of chains that use the a second level chain as a primary data source.
This functionality is similar to the way that you might have used post-process searches using Simple XML.
You can use tokens in both base and chain searches. Any token you create can be used in a search of type ds.chain
, but time-related tokens can only be used in the base search.
You cannot specify any properties such as queryParameters
, refresh
, and refreshType
for chain searches. These are inherited from those set in the base search, or from settings in the defaults
section. When a base search is refreshed, or its SPL search is changed, the associated chain searches will also be refreshed.
An example of the anatomy of the chain search
In the following example, there are four searches. One base search and three chain searches. One chain search relies on the base search, and the other two rely on the first chain search.
If you are using lookups in your search, make sure the lookup permissions are set to "global".
Best practices for creating chain searches
Use these best practices to make sure that chain searches work as expected.
Use a transforming base search
A base search should be a transforming search that returns results formatted as a statistics table. For example, searches using the following commands are transforming searches: stats
, chart
, timechart
, and geostats
, among others. For more information on transforming commands, see About transforming commands in the Search Manual.
Fixing search result and timeout issues
Non-transforming base searches can cause search result and timeout issues. If you observe the following issues in a dashboard, check the base search to make sure that it is a transforming search:
- no results returned
- event retention
- client timeout
- the
collect
command
No results returned
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the chain search using the | fields
command. For example, if your chain search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.
| fields _time, categoryId, action
Event retention
If the base search is a non-transforming search, the Splunk platform retains only the first 500,000 events that it returns. A chain search does not process events in excess of this 500,000 event limit, silently ignoring them. This can generate incomplete data for the chain search.
This search result retention limit matches the max_count
setting in limits.conf
. The setting default is 500,000.
Client timeout
If the chain search takes too long, it can exceed the Splunk Web client timeout value of 30 seconds.
The collect
command
The collect
command does not work with chain searches when used in the base search.
For more information about transforming searches, see transforming commands and searches in the Search Manual.
Do not reference fields in chain searches that are not referenced in the base search
A chain search depends entirely on the fields present in the base search. If you are not referencing a particular field in the base search, do not reference it in the chain search. Fields used in transforming commands will automatically be available for chain searches. When transforming commands are not used in a base search, fields without a reference in the base search appear null in a chain search. The chain search returns no results in this case.
Utilize fewer base searches
Using fewer base searches can improve your dashboard's performance. For example, one base search is often more efficient than multiple base searches.
Limit base search results and chain complexity
Passing a large number of search results to a chain search can cause server timeout issues. In this scenario, consider adjusting the base search to reduce the number of results and fields that it returns. You can also consider reducing the complexity of chain searches on the base search results.
You can use a single chain search from a base search to generate results or you can generate multiple chain searches together.
Base and chain refresh behavior
Specific changes occurring in a base or chain will impact the refresh behavior of the base and chain. The following describes the actions that initiate a refresh on a base, chain, or both.
Description | Refresh behavior |
---|---|
Token value changes in the base. | Entire base and chain tree refreshes. |
Token value changes in only the chain. No change occurs in the base. | Only the chain search refreshes. The base does not refresh. |
Auto refresh interval is set on a base or chain. | Entire base and chain tree refreshes. |
Manual refresh is triggered on a base or chain. | Entire base and chain tree refreshes. |
Create search-based visualizations with ds.search | Use reports and saved searches with ds.savedSearch |
This documentation applies to the following versions of Splunk® Enterprise: 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!