Dashboards & Visualizations

How to cache previous search results from a dashboard and to only run a search from the current time to the last cache search time?

brianlee12
Engager

Hi,

I have a dashboard with a search that produces how much data has been indexed by Splunk for a given time range. However, due to the large amount of data being processed, this search is quite slow. I was wondering what the best method is for caching previous search results and only search from the current time to the last cache searched. For example, if I was searching how much data was indexed the past 7 days, and I had a cached search for the first 4 days, I'd like to use that cached search then add on the remaining last 3 days.

Any help is appreciated! Thanks.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Splunk doesn't have the ability to Cache search results and use them like this per say at search time (you can look at the loadjob command and understand what I mean here.) So I believe you want to use Report Acceleration.

I would advise you look here first :

https://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Manageacceleratedsearchsummaries

That has a good outline of what you have to do and what kind of searches you can use this on. There are constraints on the search you can enable this on along with how to check how much is Accelerated.

Masa
Splunk Employee
Splunk Employee

I agree with @esix for making use of Report Acceleration.

Splunk doesn't have the ability to
Cache search results and use them like
this per say at search time

Confusing comment. Search result will be cached by default. Just for this use case, it is not recommended to make use of it. Report Acceleration is a way better solution

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...