Dashboards & Visualizations
Highlighted

How to edit my dashboard searches as I change the time range from Last Hour to Last 30 Days and maintain or improve performance?

Contributor

I have a dashboard that displays a number of charts taking into account the last one hour of data and automatically refreshes every 5 minutes. It works fine.

Now my management wants the similar chart for last one month's data instead of last one hour. Obviously, if I try to run my search as is with last 30 days data, it runs like a snail, which is expected.

Can anyone suggest me clue as how to make it faster? Is summary index a good option or there are other ways to run searches faster? I have listed the search commands that I used in my dashboard below:

index=webproxy eventtype=ironport_proxy | eval download=sc_bytes/1024/1024 | stats sum(download) by host

index=webproxy eventtype=ironport_proxy |  stats count by "Display Name" | sort limit=10 count desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by "Display Name" | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by c_ip | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy  | rex field=cs_url "\/\/(?P<s_hostname>[^/]*)" | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by s_hostname | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | stats count by c_ip | sort limit=10 -count

index=webproxy eventtype=ironport_proxy s_hostname!="-" sc_bytes=* | bucket _time span=1w | eval download=sc_bytes/1024/1024 | eval minute=strftime(_time,"%H:%M") | chart sum(download) over minute by host
Highlighted

Re: How to edit my dashboard searches as I change the time range from Last Hour to Last 30 Days and maintain or improve performance?

Contributor

It looks like your searches are well formatted already.

Since you are running stats command, you should build a summary index with the sistats command.

Other alternatives are to create and accelerated data models: http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Aboutdatamodels . This will help you to provide a fast and easy way to your management to build reports.