Deployment Architecture

Global search versus loading search by SID - what are the tradeoffs/impact on the search head?

rjthibod
Champion

Splunk Enterprise 6.3.x has added lots of features that greatly extend the Simple XML framework. One capability enables saving the job SID for a completed search (see example XML below). That saved SID can then be accessed elsewhere in the dashboard to load the results from the SID (i.e. using the loadjob command).

There are many ways that this method of accessing search results in a single dashboard is more flexible than using a global search and post-processing. Are there any downsides to using the saved SID approach? Is one more efficient than the other terms of memory, dispatching, etc.?

<search>
  <query>
    <INSERT_SPL_SEARCH>
  </query>
  <earliest>-1h</earliest>
  <latest>now</latest>
  <progress>
    <condition match="'job.resultCount' > 0">
       <set token="search_ds_1_sid">$job.sid$</set>
    </condition>
    <condition>
        <unset token="search_ds_1_sid"/>
     </condition>
  </progress>
</search>
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi rjthibod,

using a global search and post-process has limits regarding the results, see docs http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Savedsearches#Post-process_searches for more details.

Using the loadjob approach has advantage if you use it in dashboards that are used by may people, this way the schedules saved search runs only once and everyone can use the result (eq. lesser network traffic between SH and IDX and lower performance impact if the dashboard is used by 200 or more people for example).

In the end it all depends on your use case ...

Hope this helps ...

cheers, MuS

0 Karma

rjthibod
Champion

Thank you for pointing out the post-process limitations page.

However, I think you misunderstand how I am talking about using loadjob and SIDs. Note, 6.3.X allows one to get the SID of any arbitrary search in a Simple XML panel (see example XML in original post). This not a scheduled saved search in a dashboard, this is the SID of any search in a dashboard regardless of it being saved or not.

Right now, my dashboards have a lot of customizable field selection, so having a saved search is not an option. So, I want to know if I am going to be introducing undesirables in terms of performance/resource utilization if I used the SIDs of my ad-hoc dashboard searches instead of using a global search.

0 Karma

MuS
SplunkTrust
SplunkTrust

You're right, got the wrong - sorry. Well to be honest: no one, besides you, can answer this for your use case and environment. Setup two dashboards, one using post process and one using loadjob and to some tests with your data in your setup. You will soon see what is the best setup for you.....

0 Karma

rjthibod
Champion

I will try to do that this week and come back with results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...