Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dashboard performance on load

leandromatperei
Path Finder
‎12-16-2019 04:43 PM

Expensive,

I have an example dashboard like this below with 12 queries that make up my dashboard, it loads new information every minute.

Thinking about the optimization scenario, it takes a while to load, is there any way to make it faster?

Maybe decreasing the number of queries will solve, but I need to keep 12 separate values.

<dashboard>
  <label>TESTE</label>
  <row>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 1</title>
        <search>
          <query>index=_internal  clientip="127.0.0.1" | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[5000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 2</title>
        <search>
          <query>index=_internal  component=Metrics | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 3</title>
        <search>
          <query>index=_internal  file=jobs | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[4000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 4</title>
        <search>
          <query>index=_internal  status=200 | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 5</title>
        <search>
          <query>index=_internal   component=PeriodicHealthReporter | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 6</title>
        <search>
          <query>index=_internal   user="splunk-system-user" | stats  count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 7</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 8</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 9</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 10</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 11</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
    <panel>
      <single depends="$showsinglevalue$">
        <title>TESTE 12</title>
        <search>
          <query>index=_internal | stats count as sourcetype</query>
          <earliest>$tempo.earliest$</earliest>
          <latest>$tempo.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
</dashboard>
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 11:53 PM

Hi @leandromatpereira,
at first you could use a Post Process Search, in other words, you could have a main search (index=_internal) and in each panel take the results of this search and add the other filters and calculations (e.g. | search clientip="127.0.0.1" | stats count as sourcetype).
You can see how to do this on Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) or at https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/Savedsearches#Post-process_searches_2 .

Then I don't understand the depends in each panel: where's the condition? but probably there a part of your dashboard that you didn't inserted in the question.

Then I see that some panels seem to be equal, maybe you could optimize them and reduce the number of panels.

Then the refresh every minute: is it mandatory? what's the execution time of your searches, have you time to reload?, maybe it could be possible to enlarge the refresh time.

At lease, remember that every search takes a CPU and didn't release it until it's working, this means that, when you run this dashboard, you're using 12 CPUs on Search Head and 12 on Indexers!
I don't know your architecture, but if two o three people use this dashboard you risk to block your system!

Ciao.
Giuseppe

Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2019 05:18 PM

Are the last 6 panels supposed to be identical?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

leandromatperei
Path Finder
‎12-16-2019 05:49 PM

They are just to exemplify, may consider as different values.

May consider as 12 different values.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...