topic Re: Specify Event Sampling in a query for use in a Dashboard in Splunk Search

Is it possible to specify Event Sampling in a query for use in a Dashboard?

dmoberg — Tue, 27 Sep 2022 14:11:59 GMT

For the type of data I am trying to extract, Event Sampling really speeds up the query. This works fine when executing SPL queries, but I have not been able to figure out how to do this in a dashboard. Found some older posts where "rand" was used, but apparently that did not speed up the query.

Is it possible to specify Event Sampling directly in a Search Query or in the Dashboard in some way?

Re: Specify Event Sampling in a query for use in a Dashboard

FelixLeh — Tue, 27 Sep 2022 07:59:33 GMT

I think this Splunk Docs article should help (Event sampling with reports and dashboard panels topic):

https://docs.splunk.com/Documentation/Splunk/latest/Search/Retrieveasamplesetofevents

<event>
  <title>sample events</title>
  <search>
     <query>buttercupgames</query>
     <earliest>@d</earliest>
     <latest>now</latest>
     <sampleRatio>500</sampleRatio>
  </search>
</event>

_______________________________________

If this was helpful please consider awarding Karma. Thx!

Re: Specify Event Sampling in a query for use in a Dashboard

dmoberg — Tue, 27 Sep 2022 14:01:56 GMT

Thanks. I tried it but it seems when this setting is used in the Dashboard there is no performance improvement at all. Running the exact same query directly in SPL with the same Event Sampling is much quicker.

Maybe this is a bug in the implementation?

Re: Specify Event Sampling in a query for use in a Dashboard

FelixLeh — Tue, 27 Sep 2022 14:36:22 GMT

In my tests when I used sampleRatio 5000 and the search time was reduced from 35 seconds to 4.. so it seems to work fine on my end. Maybe there is something in your search/dashboard that limits the speed regardless of sampling? Reasons could be:

- early transformative command like table or stats command that force Splunk to work on the search head instead of index.

- Great amount of searches/panels on Dashboards spike resource usage and may slow down Splunk

If you want to want to describe the surrounding dashboard or the query that you are using I may be able to help.

_______________________________________

If this was helpful please consider awarding Karma. Thx!

Re: Specify Event Sampling in a query for use in a Dashboard

dmoberg — Wed, 28 Sep 2022 06:15:11 GMT

Problem solved. I had the Dashboard pane search settings for the Time Picker set to Global, instead of Shared Time Picker. BUT, I earlier checked the Source of the Dashboard and the Earliest was set to "-24h" and still the search took forever, but directly in Splunk search the same search for 24 hrs was really quick. Maybe when Global is selected as the Time Picker, the Earliest setting is ignored and instead All Time is selected (picked up from elsewhere)?

Anyways, thanks allot now it works great!!

Re: Specify Event Sampling in a query for use in a Dashboard

FelixLeh — Wed, 28 Sep 2022 07:26:13 GMT

Glad I was able to help!