All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard performance with "large" data sets

responsys_cm
Builder
‎10-03-2012 10:39 PM

We're building an app to manage our Nessus vulnerability results. We would like to create a dashboard for people to search for various criteria in Nessus plugins and display a series of tables with tabs. We're using Sideview Utils 2.x for the app.

Currently, the dashboard is setup to do a search that does | inputlookup append=t nessus_plugin_database. That lookup file is about 30 MB in size. Each tab searches that data for results with CVE identifiers, Bugtraq or OSVDB IDs, etc. Even though I have defined a maximum search time of three minutes, the tabs that return the most amount of data are timing out with a message about how the search expired or was cancelled.

I have no idea what the relationship is between the client and server as far as where data is stored (locally or server), where it executes, etc.

What are the best practices for creating dashboards that need to input a large amount of data. Are there differences between doing an inputlookup vs. searching an index for the same raw data?

Thx.

Craig

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎10-03-2012 11:35 PM

From other questions I think I've seen this view and the searches and postprocess searches being used against this lookup. And I think that the problem is that you're using a base search to load the 30MB worth of inputlookup rows, and then you're using somewhat complex postprocess searches to then process those rows.

I would try just doing it all in the Search. The argument to involve postprocess usually centers around the desire to avoid pulling many GB of events off of disk. A 30MB lookup on the other hand is relatively tiny compared to 1GB or 50GB of raw events. So doing it all in Search isn't going to be any less efficient really. And on top of that the postprocess architecture can start to get slow when there are lots and lots of rows to filter and analyze and lots of rows to return - possibly you're hitting some of that.

Anyway, that's what I'd try.

instead of having a search like

| inputlookup nessus_plugin_reference_lookup append=t | inputlookup open_vulnerabilities_lookup append=t

and then running various long postProcess searches with 

<module name="PostProcess">
  <param name="search">$selectedTab$</param>
</module>

try just doing a Search module down where you had that PostProcess module:

<module name="Search">
  <param name="search">| inputlookup nessus_plugin_reference_lookup | inputlookup open_vulnerabilities_lookup append=t | $selectedTab$</param>
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...