Multi-search management is used to manage multiple background searches to populate the results of various panels of the dashboard. Multiple searches run in the background, and the result of the search query is used to run post-process searches, which utilize the result of the background search to evaluate their own result.
Let me explain what multi-search management is so that you may understand it better. Suppose in the dashboard there are six panels and each panel takes 10 seconds for processing the search results. So for six panels, the time will be 60 seconds. Now, if we have a background search which gets all the data required by all six panels in 20 seconds, then using post-process searches instead of running a search on the whole data, the result of the background search is used and the time is reduced to almost three to four seconds per panel instead of 10 seconds per panel.
Thus, multi-search management can be used in a dashboard which has many panels to increase the speed and efficiency of the dashboard.
Let me explain the uses and advantages of multi-search management in Splunk. In the following dashboard we have a background search that will result in a statistical table with a count of all the types of errors which occurred on a web server. Now as shown in the following image, the single values display the count of various types of errors. The result of the background search, which has stats of all types of errors, is run only once, and then the post-process search filters the required data for the respective search panel and displays it.
In a situation where multi-search management is not used for cases like the following, then for each panel there is a search executed on the target data, resulting in latency:
In a real-world scenario, it took close to 40-45 seconds to get the results populated in all the panels of the preceding example when multi-search management was used, whereas in case of a simple dashboard with multi-search the time was around two and a half to three minutes and thus, multi-search management proves to be efficient in real time than not using it.
To summarize, the following are the advantages of using multi-search management:
- Performance optimization by executing a single search with multiple visualizations on the same dashboard leverages
- Populating the inputs from a single global search and post-process within each input
- Performing token-based searches within a post-process so that the need to execute an expensive global search every time a new input is selected is avoided
Now, since we are aware of the advantages of multi-search management, let us see how we can implement this on the Splunk dashboard.
The following are the key points to be remembered when implementing multi-search management:
- Background/global search can be initiated from anywhere on the page or even from the panel
- Background/global search whose result is to be later used to run a post-process search must include an ID as follows (it is not at all necessary to use the same ID
global_searchfor multi-search management, as the ID can be anything the user defined):<search id="global_search">
- Make the post-process search aware that it needs to process the result of the background search by using the
baseparameter in the search, as follows:<search base="global_search">
- To use a saved search within a dashboard will require the use of the parameter
ref, as follows:<search ref="mySavedSearch">
- The syntax for time will change from
earliestTimeandlatestTimetoearliestandlatest, respectively
Now let's see some code snippets, which we can use to implement multisearch management by modifying the XML source code of the dashboard:
- We will first see the creation of a global search and assign an ID. The following image shows a global search with the ID as
globalSearch:
- Use a global/background search in various other visualizations on the page. The following image shows how to use global searches in visualizations:
- Use the global/background search result as input to run another search (post-process search). The following search will run on the a result of search with
idasglobalSearchand compute its result:
- If a saved search is to be made global, then the following line needs to be added to assign an ID to a saved search:
<search id="globalSearch" ref="mySavedSearch"/>
- The following is the syntax to assign a time range when using multi-search management:
This is the way we can use multi-search in our dashboard for optimizing page performance and using Splunk efficiently.