Re: Any performance issues with all the real-time ...

the_wolverine · ‎02-11-2015

I have just installed the app and want to know if anyone has encountered any performance issues with the multitude (nearly all) real-time searches that are used in the dashboard.

I will refactor the searches to not use real-time search.

btorresgil · ‎02-12-2015

Hello. There are actually only 4 real time searches in the entire app. All of them are on the Overview Dashboard. The app uses search templates and search post process to reduce load from real-time searches, and uses datamodel acceleration in non-realtime pivots for the rest of the dashboards.

If you're experiencing performance issues, can you describe what symptoms you're seeing and how many logs per second you're sending to splunk? Is the performance problem exclusive to the Palo Alto Networks app, or across all apps? Just one dashboard, or all dashboards?

Thanks,
-Brian

the_wolverine · ‎02-12-2015

We tightly control the use of real-time searches in our env because each rt-search consumes a core of resource. Privileged users might be allowed to run a single rt-search. We have since converted all the rt searches in overview to scheduled searches.

Any performance issues with all the real-time searches in Palo Alto Networks app?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor