All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Realtime search in dashboard slow compared to realtime in flashtimeline

KarunK
Contributor
‎04-24-2013 12:01 AM

Hi All,

I have a realtime search to find TPS in a dashboard. But the search in dashboard runs ten times slower than the same search run on search window. Couldn't figure out why. Also some times the data gets truncated as well.

Could anyone help ?

Update 29th April : I think the backfill is not working. How can the realtime backfill be enabled ?

Thanks

Regards

KK

search

index="router" $service$ hostname="$hostname$" | timechart span=1s count by hostname | timechart span=1min max(*)  as *

Advanced XML

<?xml version="1.0" encoding="UTF-8"?>
<view isPersistable="true" isSticky="false" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" stylesheet="application.css" template="dashboard.html">
   <label>Device</label>
   <module name="SideviewUtils" layoutPanel="messaging" />
   <module name="AccountBar" layoutPanel="messaging" />
   <module name="AppBar" layoutPanel="navigationHeader" />
   <module name="Message" layoutPanel="viewHeader">
      <param name="filter">*</param>
      <param name="clearOnJobDispatch">False</param>
      <param name="maxSize">2</param>
   </module>
   <module name="Message" layoutPanel="viewHeader">
      <param name="filter">splunk.search.*</param>
      <param name="clearOnJobDispatch">True</param>
      <param name="maxSize">1</param>
   </module>
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">|inputlookup address.csv</param>
      <module name="Pulldown">
         <param name="float">left</param>
         <param name="searchFieldsToDisplay">
            <list>
               <param name="value">hostname</param>
               <param name="label">hostname</param>
            </list>
         </param>
         <param name="name">hostname</param>
         <param name="postProcess">| inputlookup address | dedup hostname | table hostname | sort hostname</param>
         <param name="label">Device</param>
         <module name="Pulldown" layoutPanel="panel_row1_col1">
            <param name="searchFieldsToDisplay">
               <list>
                  <param name="value">service</param>
                  <param name="label">Delivery Service</param>
               </list>
            </param>
            <param name="outerTemplate">( $value$ )</param>
            <param name="label">Delivery Service</param>
            <param name="separator">+OR+</param>
            <param name="size">3</param>
            <param name="postProcess">| inputlookup service | dedup service | table service | sort service</param>
            <param name="name">service</param>
            <param name="template">$value$</param>
            <param name="float">left</param>
                          <module name="SubmitButton">
                  <param name="label">Search</param>

            <module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
               <param name="search">index="router" $service$ hostname="$hostname$" | timechart span=1s count by hostname | timechart span=1min max(*)  as *</param>
               <param name="earliest">rt-1h</param>
               <param name="latest">rt</param>
               <module name="HTML" layoutPanel="panel_row2_col1">
                  <param name="html">&lt;pre&gt;
searchExpression : index="router" &lt;b&gt;$service$ hostname="$hostname$" &lt;/b&gt; | timechart span=1s count by hostname | timechart span=1min max(*)  as *
  &lt;/pre&gt;</param>
               </module>
               <module name="JobProgressIndicator" />
               <module name="JobStatus">    
            <param name="showCreateMenu">false</param>
             <param name="showSaveMenu">false</param> 
             </module>

               <module name="EnablePreview">
                  <param name="enable">True</param>
                  <param name="display">False</param>
                  <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1" group="Real Time Service Router Peak TPS ( 1 hour window )">
                     <param name="groupLabel">Real Time TPS</param>
                     <param name="charting.chart">area</param>
                     <param name="primaryAxisTitle.text">Time</param>
                     <param name="secondaryAxisTitle.text">TPS</param>
                     <module name="FlashChart">
                     <param name="height">350px</param>
                        <module name="ConvertToDrilldownSearch">
                           <module name="ViewRedirector">
                              <param name="viewTarget">flashtimeline</param>
                           </module>
                        </module>
                     </module>
                  </module>
               </module>
            </module>
         </module>
      </module>
      </module>   
      </module>      
</view>

A simple xml dashboard was as fast as the flash-timeline one. Its only Advanced xml dashboard is slow.

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>rrr</label>
  <row>
    <chart>
      <searchName>testinggggggggggggg</searchName>
      <title>testinggggggggggggg</title>
      <option name="charting.chart">area</option>
    </chart>
  </row>
</dashboard>
Reply
1 Solution
Solved! Jump to solution
Solution

KarunK
Contributor
‎05-30-2013 06:24 PM

Idendified as a bug in Sideview/Splunk Core Engine.

Please refer the following link for workaround.
http://splunk-base.splunk.com/answers/85455/backfill-not-working-for-a-realtime-dashboard

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

KarunK
Contributor
‎05-30-2013 06:24 PM

Idendified as a bug in Sideview/Splunk Core Engine.

Please refer the following link for workaround.
http://splunk-base.splunk.com/answers/85455/backfill-not-working-for-a-realtime-dashboard

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-07-2013 11:38 AM

The bug was in Splunk but deep enough that it may have only ever affected Sideview Utils. The relevant Splunk code has been patched by Sideview Utils as of a version or two ago so go ahead and update to latest SVU and the problem will completely go away.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...