Solved: How can I speed up a dynamic dashboard input that ...

goodsellt · ‎11-02-2016

Hello,

I'm attempting to create a form / dashboard which is designed to present the status of a client or list of clients based upon an input multi select for each client. I'm currently using a search which returns a static field. I've written a search which returns them (~ 8000 clients). However, as soon as the list populates it becomes extremely slow to interact with. I'd imagine it's probably due to the size of it, however I'm not sure what workaround I could use that allows for validated input (so a user could input text into the box and only be able to select a valid client).

Are there any recommendations or workaround I need to try to get a form input of this size (~8000) working smoothly?

I'm currently running Splunk 6.3.0.1

lguinn2 · ‎11-02-2016

Here is an idea: run a search periodically (once an hour maybe?) that outputs a csv file containing your list of 8000 items.
In your dashboard, in the "populating search" that builds the drop-down, use the inputlookup command to retrieve the data instead of the current search.

There is also a way to force Splunk to create tsidx files for lookup tables above a certain size. You do this by setting max_memtable_bytes in limits.conf. This might make the dashboard faster, but I am not sure, since it has to load all the data into the picker already.

I am not sure that either of these will make a dramatic difference. Before you go too far, load your dashboard in one window. In another window, logged into Splunk as the same user, look under Activity>>Jobs. See if you can find the searches that were run "behind" the dashboard. For each of these searches, click "inspect job" to find out more about how that search executed. Here is a lot of info about the Search Job Inspector that may be helpful.

Good luck and let us know what you find out!

View solution in original post

gcusello · ‎11-03-2016

Hi goodsellt,
You have two solutions:

periodically save results in a lookup using the outputlookup command and use this lookup to populate your list;
use a text box.

I had this problem and I used the second one because, using a lookup you quickly populate your list that has 8000 items and it isn't so manageable.

The problem is if you have to search multiple values, because you cannot use your field and you have to run a full text search inserting OR between your words.

Bye.
Giuseppe

lguinn2 · ‎11-02-2016

Here is an idea: run a search periodically (once an hour maybe?) that outputs a csv file containing your list of 8000 items.
In your dashboard, in the "populating search" that builds the drop-down, use the inputlookup command to retrieve the data instead of the current search.

There is also a way to force Splunk to create tsidx files for lookup tables above a certain size. You do this by setting max_memtable_bytes in limits.conf. This might make the dashboard faster, but I am not sure, since it has to load all the data into the picker already.

I am not sure that either of these will make a dramatic difference. Before you go too far, load your dashboard in one window. In another window, logged into Splunk as the same user, look under Activity>>Jobs. See if you can find the searches that were run "behind" the dashboard. For each of these searches, click "inspect job" to find out more about how that search executed. Here is a lot of info about the Search Job Inspector that may be helpful.

Good luck and let us know what you find out!

goodsellt · ‎01-19-2017

I got around to testing this and it has speed up the responsiveness of the input box pretty dramatically (using an inputlookup for the population), it sounds like for this scenario this is a pretty good workaround.

How can I speed up a dynamic dashboard input that is extremely slow to interact with?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM