With the 4.2 upgrade it brought along with it the real-time updating of the metadata on the main screen/dashboard for the global summary, hosts/source/sourcetypes.
Is there any way to disable this and go back to how it polls once on navigating to the front page the first time and not continuously updating?
Thanks,
Scott
Make a copy of the file $SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
to $SPLUNK_HOME/etc/apps/search/local/data/ui/views/
and remove all <param name="earliest">rt</param>
and <param name="latest">rt</param>
occurrences. After reloading your app, the view should show the view without the real-time information.
As an alternative you could copy the dashboard.xml from a 4.1.x package to your installation and modify the navigation to use it as the default view.
Hi... We have been having some problems with our Splunk UI running out of Swap space, and the real-time updating of the Summary screen seems to be a contributing factor. So we want to disable this real-time updating.
I have followed the above instructions, trying with just ...dashboard_live.xml, and then adding dashboard.xml in the copy & modify procedure.
It definitely worked to stop the real-time updating, based on looking at the "Events Indexed" counter - it doesn't increment.
However... I'm having a different problem...
The "Sources" pane never updates. "Waiting for search to complete..." is displayed in that pane forever. (OK, I exaggerate... For 15 minutes so far 🙂
In one instance, the "Source types" pane also didn't update, but, most of the time, the other panes (All indexed data, Source types, Hosts) look just fine.
If I switch back to the original configuration (only unchanged, "default" dashboard*.xml files), things work as before (real-time updating back on).
Any ideas why the non-real-time Summary searches are hanging and/or taking much longer?
Thx,
mfeeny1
Make a copy of the file $SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
to $SPLUNK_HOME/etc/apps/search/local/data/ui/views/
and remove all <param name="earliest">rt</param>
and <param name="latest">rt</param>
occurrences. After reloading your app, the view should show the view without the real-time information.
As an alternative you could copy the dashboard.xml from a 4.1.x package to your installation and modify the navigation to use it as the default view.
Upgraded from 4.1.7.
Did you upgrade to 4.2 or was it a fresh install?
However if I copy this file: $SPLUNK_HOME/etc/apps/search/local/data/ui/views/dashboard.xml. It has a single set of RT entries, removing those does stop the updating for me.
Yep, put a copy in here: $SPLUNK_HOME/etc/apps/search/local/data/ui/views/dashboard_live.xml. Removed 3 occurrences of earliest and 3 adjacent latest. Changed a label for 'Earliest Event'. Navigated to a different app and back, did not take the label changes or RT changes.
Are you sure, you placed the file into the correct directory? It's working for me... Try to modify some other part of the file (eg. a label or something) and see if the change takes effect. An app reload is sufficient to reload the view (ie. navigate to the home app and back to search)
Hrm..I copied the dashboard_live.xml file over to the local dir, removed the rt earliest/latest instances and restarted splunk. It still is updating in real-time.