We have created a Dashboard with some panels showing real-time traffic. When someone opens the this dashboard, it takes long time to display data. Also it creates another Job in Splunk. Is this expected behavior? When dashboard is viewed by many people, it impacts Splunk performance. Is there any way to implement 'shared' dashboard in better ways
You can schedule the RT search. Then everyone opening the dashboard will hook into the existing job instead of launching a new one, and will immediately get the job's current results.
Thanks Martin.
If I schedule RT search to run it every 5 minutes, then it won't be real-time?
Setting the cron schedule on an RT search will leave the search running in real-time. For RT searches, the cron schedule indicates how often Splunk will kick off the search if it is not already running. If your RT search fails, the cron schedule will indicate how often Splunk will check and restart it if needed. I usually set scheduled RT searches to have a cron schedule of */5 * * * *
.