Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard Performance - Saved Report or Inline Search

HeinzWaescher
Motivator
‎11-13-2013 03:21 AM

Hi,

I would like to set up some Dashboards to aggregate several search results on one page,
but I'm not sure about the exact difference between the "inline search" and "report"? Will the "inline search" run all searches again, so this type of panel will use a lot of performance (but will always be up to date)? Whereas the report-dashboard is using the results of each reports last run? So the report would be much better regarding performance issues?

Best

Heinz

Tags (2)
Reply

MuS
Legend
‎11-13-2013 04:29 AM

Hi HeinzWaescher,

like most of the Splunk related stuff; it all depends what you are trying to achieve.

For example

  • inline search cannot be accelerated, but can use saved search results
  • saved searches can be accelerated, if your result supports it (like stats output)
  • you can create a single dashboard with only one search and postprocess the result in different graphs if the base data for all graphs is the same, see this

In the end it is up to your needs and some try and error approach to setup THE dashboard for your needs.

Update: Not to forget the summary index and how to use it to increase report efficiency, see this docs


Hope this helps ...

cheers, MuS

Reply

HeinzWaescher
Motivator
‎11-13-2013 05:23 AM

Hey,

thanks for your answer. At the moment I just want to bring some results together and expected, that the results of saved searches and inline search are different in the dashboard. Because when I Clone a saved search to an inline search, Splunk tells me "The inline search: Will run every time the dashboard is loaded". So I expected that a saved search will use some kind of stored results and is much faster.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

It’s go time — Boston, here we come!

Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top