Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I improve the performance of dropdown load on dashboards?

egid_la
New Member
‎10-30-2017 01:32 AM

I'm currently running Splunk 6.5.3

I created a form which is designed to present business codes based on an input multi select.

I used a search which returns results on last 24 hours but it slow.(~ 3000 business codes)

I tried to use the inputlookup command to retrieve the data instead of the current search but it still slow on last 24 hours. (~ 3000 business codes)

I guess it's related to the size because if i change time to 4 hours, it's faster.

How can i improve the performance of drop down load on dashboards?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎10-30-2017 06:08 AM

When you say you used a lookup command are you saying the query behind the multi select is doing | inputlookup .... ? I'd generally recommend having a scheduled search run that populates that lookup to keep it updated and query from there. This would make the process of finding the business codes much faster vs having to extract the information from the raw data. From what you mention though there could be an issue as the UI tries to iterate over the 3k options.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-30-2017 06:33 AM

@egid_la for community to assist you with performance tune your multi select you would need to provide your current search (with mocked up field names if required).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 07:19 AM

| inputlookup business_codes.csv
| stats by PART
| table PART

business_codes

AXX
BXX
CXX
DXX
EXX
...
(~ 3000 results)

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-30-2017 07:36 AM

You are showing values as business_codes but stats and table use field as PART. Not sure which one is correct, but hoping you are interested in business_codes have you tried dedup command?

| inputlookup business_codes.csv 
| dedup business_codes 
| table business_codes
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 08:43 AM

Yes excuse me,

| inputlookup business_codes.csv
| rename PART AS business_codes
| stats by business_codes
| table business_codes

business_codes
AXX
BXX
CXX
DXX
EXX
...
(~ 3000 results)

0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 08:43 AM

Same result for dedup

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-30-2017 09:27 AM

How about the following:

| inputlookup business_codes.csv
| table PART
| dedup PART
| rename PART as business_codes

Here, rename is done after dedup.
You dont have to stress too much since you already have a solution that works 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-31-2017 01:06 AM

Ok i know now thanks

0 Karma
Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎10-30-2017 06:08 AM

When you say you used a lookup command are you saying the query behind the multi select is doing | inputlookup .... ? I'd generally recommend having a scheduled search run that populates that lookup to keep it updated and query from there. This would make the process of finding the business codes much faster vs having to extract the information from the raw data. From what you mention though there could be an issue as the UI tries to iterate over the 3k options.

0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 06:24 AM

Yes it's | inputlookup.
I tried scheduled search it's faster.
Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2017 05:08 AM

Hi egid_la,
when I have so many items I prefer to use a text box instead of dropdown.
Eventually putting *before and after input.

In this way there aren't problems in loading.
To have more performaces I suggest to use a lookup or a txidx file (txcollect).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 06:19 AM

What do you mean by putting *before and after input ?
Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2017 06:33 AM

Hi egid_la,
to take a substring with * vefore and after, something like this:

<input type="text" token="filter">
  <label>Filter</label>
  <initialValue></initialValue>
  <prefix>*</prefix>
  <suffix>*</suffix>
</input>

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

egid_la
New Member
‎10-30-2017 07:21 AM

Hi cusello,

It's clear now

Bye

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...