Dashboards & Visualizations

How to cache previous search results from a dashboard and to only run a search from the current time to the last cache search time?

Engager

Hi,

I have a dashboard with a search that produces how much data has been indexed by Splunk for a given time range. However, due to the large amount of data being processed, this search is quite slow. I was wondering what the best method is for caching previous search results and only search from the current time to the last cache searched. For example, if I was searching how much data was indexed the past 7 days, and I had a cached search for the first 4 days, I'd like to use that cached search then add on the remaining last 3 days.

Any help is appreciated! Thanks.

0 Karma

Splunk Employee
Splunk Employee

Splunk doesn't have the ability to Cache search results and use them like this per say at search time (you can look at the loadjob command and understand what I mean here.) So I believe you want to use Report Acceleration.

I would advise you look here first :

https://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Manageacceleratedsearchsummaries

That has a good outline of what you have to do and what kind of searches you can use this on. There are constraints on the search you can enable this on along with how to check how much is Accelerated.

Splunk Employee
Splunk Employee

I agree with @esix for making use of Report Acceleration.

Splunk doesn't have the ability to
Cache search results and use them like
this per say at search time

Confusing comment. Search result will be cached by default. Just for this use case, it is not recommended to make use of it. Report Acceleration is a way better solution

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!