Hi... We have been having some problems with our Splunk UI running out of Swap space, and the real-time updating of the Summary screen seems to be a contributing factor. So we want to disable this real-time updating.
I have followed the above instructions, trying with just ...dashboard_live.xml, and then adding dashboard.xml in the copy & modify procedure.
It definitely worked to stop the real-time updating, based on looking at the "Events Indexed" counter - it doesn't increment.
However... I'm having a different problem...
The "Sources" pane never updates. "Waiting for search to complete..." is displayed in that pane forever. (OK, I exaggerate... For 15 minutes so far 🙂
In one instance, the "Source types" pane also didn't update, but, most of the time, the other panes (All indexed data, Source types, Hosts) look just fine.
If I switch back to the original configuration (only unchanged, "default" dashboard*.xml files), things work as before (real-time updating back on).
Any ideas why the non-real-time Summary searches are hanging and/or taking much longer?
Thx,
mfeeny1
... View more