Solved: Re: help with accelerated report with dashboard dy...

dhavamanis · ‎11-28-2014

We have dashboard with report query, based on base query its loading fine, if add a filter sitename in addition that time range filter. its taking long time to show results.

base query accelerated with report and added to dashboard:

index="mpsakamai" source=/var/log/httpd/akamai/* site=* ("path=%2F&" OR "path=/&") | bucket _time span=1d | stats count by _time, site,response_code | sort _time desc

modified above query with dynamic parameter:

index="mpsakamai" source=/var/log/httpd/akamai/* site=$site_name$ ("path=%2F&" OR "path=/&") | bucket _time span=1d | stats count by _time, site, response_code | sort _time desc

if i pass sitename as alltime, its fetch results fast. if pass particular site value from dashboard dropdown and its taking long time to fetch the results.

Can you please help us, how to speed up this dashboard refresh faster while choosing the sitename.

martin_mueller · ‎11-29-2014

If you change the query up to and including the first reporting command then it will not be eligible for the existing report acceleration summary.

You can solve that like this:

base search | ... | stats count by _time, site, response_code | search site=$site_name$ | sort 0 _time desc

View solution in original post

martin_mueller · ‎11-29-2014

If you change the query up to and including the first reporting command then it will not be eligible for the existing report acceleration summary.

You can solve that like this:

base search | ... | stats count by _time, site, response_code | search site=$site_name$ | sort 0 _time desc

dhavamanis · ‎12-01-2014

works fine. Thank you so much!.

help with accelerated report with dashboard dynamic parameter value slowness

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases