Re: How to improve performance of a shared dashboa...

vinitatsky · ‎06-22-2015

We have created a Dashboard with some panels showing real-time traffic. When someone opens the this dashboard, it takes long time to display data. Also it creates another Job in Splunk. Is this expected behavior? When dashboard is viewed by many people, it impacts Splunk performance. Is there any way to implement 'shared' dashboard in better ways

martin_mueller · ‎06-22-2015

You can schedule the RT search. Then everyone opening the dashboard will hook into the existing job instead of launching a new one, and will immediately get the job's current results.

vinitatsky · ‎06-22-2015

Thanks Martin.
If I schedule RT search to run it every 5 minutes, then it won't be real-time?

LukeMurphey · ‎06-22-2015

Setting the cron schedule on an RT search will leave the search running in real-time. For RT searches, the cron schedule indicates how often Splunk will kick off the search if it is not already running. If your RT search fails, the cron schedule will indicate how often Splunk will check and restart it if needed. I usually set scheduled RT searches to have a cron schedule of */5 * * * *.

How to improve performance of a shared dashboard with panels running real-time searches if viewed by many users?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases