How to cache previous search results from a dashbo...

brianlee12 · ‎10-23-2016

Hi,

I have a dashboard with a search that produces how much data has been indexed by Splunk for a given time range. However, due to the large amount of data being processed, this search is quite slow. I was wondering what the best method is for caching previous search results and only search from the current time to the last cache searched. For example, if I was searching how much data was indexed the past 7 days, and I had a cached search for the first 4 days, I'd like to use that cached search then add on the remaining last 3 days.

Any help is appreciated! Thanks.

esix_splunk · ‎10-23-2016

Splunk doesn't have the ability to Cache search results and use them like this per say at search time (you can look at the loadjob command and understand what I mean here.) So I believe you want to use Report Acceleration.

I would advise you look here first :

https://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Manageacceleratedsearchsummaries

That has a good outline of what you have to do and what kind of searches you can use this on. There are constraints on the search you can enable this on along with how to check how much is Accelerated.

Masa · ‎10-26-2016

I agree with @esix for making use of Report Acceleration.

Splunk doesn't have the ability to
Cache search results and use them like
this per say at search time

Confusing comment. Search result will be cached by default. Just for this use case, it is not recommended to make use of it. Report Acceleration is a way better solution

How to cache previous search results from a dashboard and to only run a search from the current time to the last cache search time?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk