Dashboards & Visualizations

Disable real-time polling of global summary and main dashboard stats

skippylou
Communicator

With the 4.2 upgrade it brought along with it the real-time updating of the metadata on the main screen/dashboard for the global summary, hosts/source/sourcetypes.

Is there any way to disable this and go back to how it polls once on navigating to the front page the first time and not continuously updating?

Thanks,

Scott

Tags (2)
1 Solution

ziegfried
Influencer

Make a copy of the file $SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml to $SPLUNK_HOME/etc/apps/search/local/data/ui/views/ and remove all <param name="earliest">rt</param> and <param name="latest">rt</param> occurrences. After reloading your app, the view should show the view without the real-time information.

As an alternative you could copy the dashboard.xml from a 4.1.x package to your installation and modify the navigation to use it as the default view.

View solution in original post

0 Karma

mfeeny1
Path Finder

Hi... We have been having some problems with our Splunk UI running out of Swap space, and the real-time updating of the Summary screen seems to be a contributing factor. So we want to disable this real-time updating.

I have followed the above instructions, trying with just ...dashboard_live.xml, and then adding dashboard.xml in the copy & modify procedure.

It definitely worked to stop the real-time updating, based on looking at the "Events Indexed" counter - it doesn't increment.

However... I'm having a different problem...

The "Sources" pane never updates. "Waiting for search to complete..." is displayed in that pane forever. (OK, I exaggerate... For 15 minutes so far 🙂

In one instance, the "Source types" pane also didn't update, but, most of the time, the other panes (All indexed data, Source types, Hosts) look just fine.

If I switch back to the original configuration (only unchanged, "default" dashboard*.xml files), things work as before (real-time updating back on).

Any ideas why the non-real-time Summary searches are hanging and/or taking much longer?

Thx,
mfeeny1

0 Karma

ziegfried
Influencer

Make a copy of the file $SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml to $SPLUNK_HOME/etc/apps/search/local/data/ui/views/ and remove all <param name="earliest">rt</param> and <param name="latest">rt</param> occurrences. After reloading your app, the view should show the view without the real-time information.

As an alternative you could copy the dashboard.xml from a 4.1.x package to your installation and modify the navigation to use it as the default view.

0 Karma

skippylou
Communicator

Upgraded from 4.1.7.

0 Karma

ziegfried
Influencer

Did you upgrade to 4.2 or was it a fresh install?

0 Karma

skippylou
Communicator

However if I copy this file: $SPLUNK_HOME/etc/apps/search/local/data/ui/views/dashboard.xml. It has a single set of RT entries, removing those does stop the updating for me.

0 Karma

skippylou
Communicator

Yep, put a copy in here: $SPLUNK_HOME/etc/apps/search/local/data/ui/views/dashboard_live.xml. Removed 3 occurrences of earliest and 3 adjacent latest. Changed a label for 'Earliest Event'. Navigated to a different app and back, did not take the label changes or RT changes.

0 Karma

ziegfried
Influencer

Are you sure, you placed the file into the correct directory? It's working for me... Try to modify some other part of the file (eg. a label or something) and see if the change takes effect. An app reload is sufficient to reload the view (ie. navigate to the home app and back to search)

0 Karma

skippylou
Communicator

Hrm..I copied the dashboard_live.xml file over to the local dir, removed the rt earliest/latest instances and restarted splunk. It still is updating in real-time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...