Dashboards & Visualizations

How to store results of searches in Dashboard?

brober27
New Member

I have build a dashboard with many instagrams , gauges, and graphics .. every time I click on this dashboard the searchs are runned again from the start. But this is not necessary because the data do not change (at the moment). It is not useful to waste processing computation in Splunk (that we know is also limited). This is an issue also because it takes time to run this computation and therefore the dashboard takes time to be displayed.
So my wish is to store once the calculation and each time I click on the dashboard will be presented the results of stored computation.
How can I do it? Please Help me!!

Tags (1)
0 Karma

niketn
Legend

@brober27, you have several options based on what the queries on your dashboard look like.

1) Summary Based Search Acceleration
2) Dashboard Panel from Scheduled Report. Each time dashboard is loaded results from last execution of Scheduled Report will be displayed instead of re-running the search.
3) Look into performance tuning of existing Searches based on Search Optimization Tips
4) Create Data Models for datamodel acceleration
5) Use Scheduled searches to push results to lookup file using outputlookup command and create Dashboard based on Lookup file (Similar to summary indexing approach, however same lookup file can be overridden here instead of filling up summary index)
6) Use collect command to push summary results to an index of your choice and create dashboard from index with summarized events.
7) If you are on Splunk Enterprise 7 or higher and your data contains metrics data points, you can use mcollect or meventcollect to convert your events to metrics which would run faster

Read the documentations and take help from Splunk Support/Sales Engineer to weigh in your options depending on your existing data input/dashboards and requirements.

Check out couple of Splunk .conf 2017 Sessions: (1) Searching Fast (2) Speed Up Your Searches

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...