Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my dashboard searches as I change the time range from Last Hour to Last 30 Days and maintain or improve performance?

ashabc
Contributor
‎02-23-2015 02:36 AM

I have a dashboard that displays a number of charts taking into account the last one hour of data and automatically refreshes every 5 minutes. It works fine.

Now my management wants the similar chart for last one month's data instead of last one hour. Obviously, if I try to run my search as is with last 30 days data, it runs like a snail, which is expected.

Can anyone suggest me clue as how to make it faster? Is summary index a good option or there are other ways to run searches faster? I have listed the search commands that I used in my dashboard below:

index=webproxy eventtype=ironport_proxy | eval download=sc_bytes/1024/1024 | stats sum(download) by host

index=webproxy eventtype=ironport_proxy |  stats count by "Display Name" | sort limit=10 count desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by "Display Name" | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by c_ip | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy  | rex field=cs_url "\/\/(?P<s_hostname>[^/]*)" | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by s_hostname | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | stats count by c_ip | sort limit=10 -count

index=webproxy eventtype=ironport_proxy s_hostname!="-" sc_bytes=* | bucket _time span=1w | eval download=sc_bytes/1024/1024 | eval minute=strftime(_time,"%H:%M") | chart sum(download) over minute by host
Reply

mzorzi
Splunk Employee
Splunk Employee
‎02-23-2015 03:02 AM

It looks like your searches are well formatted already.

Since you are running stats command, you should build a summary index with the sistats command.

Other alternatives are to create and accelerated data models: http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Aboutdatamodels . This will help you to provide a fast and easy way to your management to build reports.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...