Apparently as each user reaches the launch page of their dashboard, Splunk issues the following expensive search -
| metadata type=sourcetypes | search totalCount > 0
Why is it and how can we avoid it as it puts a huge strain on system?
The search is marked as Ad Hoc in the DMC which is a bit misleading.
The following thread touches on it - Search Summary Page Automatically Runs Real-Time Searches?
This problem is addressed for version 6.x users in the accepted answer listed as: https://answers.splunk.com/answers/141179/how-to-remove-automatic-real-time-searches-that-run-when-u...
I have to admit that I was a little surprised by this problem as I never knew that these searches were real time.
On the flip side they are very efficient searches as the are reading all of the data directly from the metadata.
Also it is the only case I know of that you can still run real time searches even when turning off real time searches for that user.
-- On the flip side they are very efficient searches as the are reading all of the data directly from the metadata.
Strange, as we see many such searches that run for 3-5 minutes...