Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard Performance - Saved Report or Inline Search

HeinzWaescher
Motivator
‎11-13-2013 03:21 AM

Hi,

I would like to set up some Dashboards to aggregate several search results on one page,
but I'm not sure about the exact difference between the "inline search" and "report"? Will the "inline search" run all searches again, so this type of panel will use a lot of performance (but will always be up to date)? Whereas the report-dashboard is using the results of each reports last run? So the report would be much better regarding performance issues?

Best

Heinz

Tags (2)
Reply

MuS
Legend
‎11-13-2013 04:29 AM

Hi HeinzWaescher,

like most of the Splunk related stuff; it all depends what you are trying to achieve.

For example

  • inline search cannot be accelerated, but can use saved search results
  • saved searches can be accelerated, if your result supports it (like stats output)
  • you can create a single dashboard with only one search and postprocess the result in different graphs if the base data for all graphs is the same, see this

In the end it is up to your needs and some try and error approach to setup THE dashboard for your needs.

Update: Not to forget the summary index and how to use it to increase report efficiency, see this docs


Hope this helps ...

cheers, MuS

Reply

HeinzWaescher
Motivator
‎11-13-2013 05:23 AM

Hey,

thanks for your answer. At the moment I just want to bring some results together and expected, that the results of saved searches and inline search are different in the dashboard. Because when I Clone a saved search to an inline search, Splunk tells me "The inline search: Will run every time the dashboard is loaded". So I expected that a saved search will use some kind of stored results and is much faster.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...