Dashboards & Visualizations

Improve dashboard performance

balash1979
Path Finder

I have the following source in my dashboard. The dashboard loads fine but it takes a long time (around 5 to 10 mins) for the search to complete. I am interested in looking at last 24 hrs data in this panel. Is there any options that I can use in my source to speed things up ?

  <form theme="dark">
  <fieldset submitButton="false">
  <input type="time" token="field1">
   <label>TimeRange</label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
  </input>
 </fieldset>

 <row>
<panel>

  <table>

    <search>
      <query>MY ENTIRE QUERY SEARCH</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">true</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
 </table>
  </panel>
0 Karma

burwell
SplunkTrust
SplunkTrust

WIthout seeing your search, as others have commented, it's hard to know how to speed things up.

As a suggestion: create a scheduled search to run each day.

Then use loadjob to load the results in:

| loadjob savedsearch="yoursusername:yourapp:yoursearchname" 

For example:

| loadjob savedsearch=burwell:search:mysearch1

You can add events=false to speed things up

0 Karma

martynoconnor
Communicator

You will need to tell us about what your actual search is, what version of Splunk you're using, your architecture, your data ingest volumes etc etc before there's any way we can help with a query this generic.

0 Karma

balash1979
Path Finder

I actually dont know the architecture as I personally dont manage the splunk. Not sure about ingest volumes.
The query is propriety and hence not able to share. The query is basically getting events from lot of different cloud stacks we have and then I sort the data before displaying in the dashboard. When I run the search, I see lot of events getting processed (in the order around 10 million+) with no event sampling. So wondering if there is anything i can do to speed things up.

0 Karma

to4kawa
Ultra Champion

in the order around 10 million+

Too many.
What are you searching for?
If you don't narrow your search, it won't get faster.

0 Karma

niketn
Legend

@balash1979 unfortunately community experts would not be able to assist you with your question without having the understanding of your data and Splunk search that you are running. There are several possibilities of optimizing search query depending on data, correlation and SPL that you have. Refer to one of my older answers for some of these: https://answers.splunk.com/answers/653570/what-is-the-best-way-to-learn-and-master-splunk-se.html#an...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...