Splunk Search

Where is the option to disable "Preview" at? Can't find it anywhere...

tmeader
Contributor

I've got some other questions on here out in regards to search performance, and several replies have mentioned "disabling preview" in order to speed up a search. People keep saying to "uncheck 'Preview'", but I cannot find this check box ANYWHERE in Splunk. What am I missing here? It's not an option when you go to edit a saved search, it's not an option that appears anywhere around the flashtimeline, it's not in the "Options" pop-up in the results area... nowhere. In addition, for scheduled searches that run on a cron, does this option need to be disabled somehow, or is it just disabled by default for background Splunk triggered searches? Please help, I'd really like to disable this option to see if it helps with performance the way they're claiming it will.

Thanks in advance.

jkat54
SplunkTrust
SplunkTrust

You can save a search as a report and then open "advanced edit" from settings -> searches, reports, and alerts -> "edit' dropdown.

Then search for "preview" and disable it there. You will find an option similar to "display.general.enablePreview" and it defaults to the number 1 for "True". Change it to 0 and click the save butotn.


Then you can just use | savedsearch "YourReportName"

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

This is particularly useful if you're using an external system to pull the data via API and the developers of the integration were unaware of the preview function being enabled by the default mode of operation in Splunk search.

0 Karma

woodcock
Esteemed Legend

This setting only appears on the Statistics tab and is fairly persistent (meaning that if you turn it on at any point, it is likely to be on everywhere until you turn it off). So go to the Statistics tab after running any search, and notice the Preview menu directly below the Statistics label. It has 2 options: Preview and No Preview.

0 Karma

southeringtonp
Motivator

I believe that the recommendations were referring to the Preview checkbox in the Advanced Charting view.

Views->Advanced Charting, under the Results section.

You can also get to it in flashtimeline, but only when using transformative commands like stats. In that case, you have to first click for the Results Table display, then you can see it under Options.

If you are having performance issues, you may want to consider adding more hardware, improving disk layout for better I/O, or better yet contacting Splunk Support for assistance suited to your specific needs.

southeringtonp
Motivator

Ah, ok, found it. It is available in flashtimeline after all, but only after you click on results. Modified above accordingly.

0 Karma

tmeader
Contributor

The thing is, after a long search finally completes (and this isn't a search that went through the Advanced Charting view at all), if you then inspect the search, the inspection window will show that "EnablePreview" was "true" for the search. Does this not incur any search penalty if not created through the Advanced Charting section? Alternatively, is it possible to append any search option to saved searches that will make sure this option is completely "off"? Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...