Dashboards & Visualizations

How to make efficient and fast searches ,reports and dashboards?

abhi04
Communicator

How to make efficient and fast searches ,reports and dashboards?

0 Karma
1 Solution

HiroshiSatoh
Champion

Below is what I usually think.

・Reduce number with base search
・Specify the time range. As narrow as possible
・Be sure to specify the index
・Do not use wildcard search.
   XXX*⇒ If you can not stand it
   XXX⇒ NG
   *XXX
⇒ NG
・Do not use NOT (!=)
・Transaction / join-sub search Do not use .Use stats command.
・Reduce the field used by the fields command early.

View solution in original post

HiroshiSatoh
Champion

Below is what I usually think.

・Reduce number with base search
・Specify the time range. As narrow as possible
・Be sure to specify the index
・Do not use wildcard search.
   XXX*⇒ If you can not stand it
   XXX⇒ NG
   *XXX
⇒ NG
・Do not use NOT (!=)
・Transaction / join-sub search Do not use .Use stats command.
・Reduce the field used by the fields command early.

niketn
Legend

@abhi04, there could be so many things to consider. Could you state what you are doing right now that needs optimization so that we could be more specific?

Just to add on to @HitoshiSatoh 's points here are the Splunk Documentations for you to read/understand and implement:

1) Post Processing Best Practice: http://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/Savedsearches#Best_practices
2) Quick Tips for Search Query Optimization: https://docs.splunk.com/Documentation/Splunk/latest/Search/Quicktipsforoptimization
3) Optimize your lookup search: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_sea...
4) Event Correlation method consideration: http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
5) Use of multisearch to overcome subsearch limitation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch#Subsearch_processing...
6) Use Knowledge Objects for easier maintenance and re-usability of code: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/WhatisSplunkknowledge
7) Use of Data Summary for accelerated Search: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abhi04
Communicator

Hi niketnilay,

I asked in a general way and not specific. Thanks for sharing this information,this helps.

0 Karma

albinortiz
Engager

@niketnilay

Great content. Thanks for sharing this!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...