Shared searching using a base search
To affect how many searches we kick off at one time, we can ask our panels in Splunk to refer to a base search that starts when the dashboard loads. The base search is hidden; however, the results will be displayed on the panels within the dashboard and we can still use our tokens within the search as well. You will have to go into the XML to do this, but it's often worth the performance increase.
I recommend downloading an app called Splunk 6.x Dashboard Examples. This will give you a great start; you will find some great tools to help you create some basic and even more advanced dashboards.
I will be using the preceding example app and referencing the techniques in the Recursive Search Post-process section of the Splunk 6.x Dashboard Examples.
Tip
Post-process searches are limited to 10,000 results. Anything with a timechart will almost always have more results than that.
In our previous example, all of the panels use the same data to populate their...
