Splunk Search

How to improve performance of a shared dashboard with panels running real-time searches if viewed by many users?

vinitatsky
Communicator

We have created a Dashboard with some panels showing real-time traffic. When someone opens the this dashboard, it takes long time to display data. Also it creates another Job in Splunk. Is this expected behavior? When dashboard is viewed by many people, it impacts Splunk performance. Is there any way to implement 'shared' dashboard in better ways

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can schedule the RT search. Then everyone opening the dashboard will hook into the existing job instead of launching a new one, and will immediately get the job's current results.

vinitatsky
Communicator

Thanks Martin.
If I schedule RT search to run it every 5 minutes, then it won't be real-time?

0 Karma

LukeMurphey
Champion

Setting the cron schedule on an RT search will leave the search running in real-time. For RT searches, the cron schedule indicates how often Splunk will kick off the search if it is not already running. If your RT search fails, the cron schedule will indicate how often Splunk will check and restart it if needed. I usually set scheduled RT searches to have a cron schedule of */5 * * * *.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...