- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Improve dashboard performance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Improve dashboard performance
I have the following source in my dashboard. The dashboard loads fine but it takes a long time (around 5 to 10 mins) for the search to complete. I am interested in looking at last 24 hrs data in this panel. Is there any options that I can use in my source to speed things up ?
<form theme="dark">
<fieldset submitButton="false">
<input type="time" token="field1">
<label>TimeRange</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>MY ENTIRE QUERY SEARCH</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WIthout seeing your search, as others have commented, it's hard to know how to speed things up.
As a suggestion: create a scheduled search to run each day.
Then use loadjob to load the results in:
| loadjob savedsearch="yoursusername:yourapp:yoursearchname"
For example:
| loadjob savedsearch=burwell:search:mysearch1
You can add events=false to speed things up
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to tell us about what your actual search is, what version of Splunk you're using, your architecture, your data ingest volumes etc etc before there's any way we can help with a query this generic.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually dont know the architecture as I personally dont manage the splunk. Not sure about ingest volumes.
The query is propriety and hence not able to share. The query is basically getting events from lot of different cloud stacks we have and then I sort the data before displaying in the dashboard. When I run the search, I see lot of events getting processed (in the order around 10 million+) with no event sampling. So wondering if there is anything i can do to speed things up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in the order around 10 million+
Too many.
What are you searching for?
If you don't narrow your search, it won't get faster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@balash1979 unfortunately community experts would not be able to assist you with your question without having the understanding of your data and Splunk search that you are running. There are several possibilities of optimizing search query depending on data, correlation and SPL that you have. Refer to one of my older answers for some of these: https://answers.splunk.com/answers/653570/what-is-the-best-way-to-learn-and-master-splunk-se.html#an...
| makeresults | eval message= "Happy Splunking!!!"
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
