I have the following source in my dashboard. The dashboard loads fine but it takes a long time (around 5 to 10 mins) for the search to complete. I am interested in looking at last 24 hrs data in this panel. Is there any options that I can use in my source to speed things up ?
<form theme="dark">
<fieldset submitButton="false">
<input type="time" token="field1">
<label>TimeRange</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>MY ENTIRE QUERY SEARCH</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
WIthout seeing your search, as others have commented, it's hard to know how to speed things up.
As a suggestion: create a scheduled search to run each day.
Then use loadjob to load the results in:
| loadjob savedsearch="yoursusername:yourapp:yoursearchname"
For example:
| loadjob savedsearch=burwell:search:mysearch1
You can add events=false
to speed things up
You will need to tell us about what your actual search is, what version of Splunk you're using, your architecture, your data ingest volumes etc etc before there's any way we can help with a query this generic.
I actually dont know the architecture as I personally dont manage the splunk. Not sure about ingest volumes.
The query is propriety and hence not able to share. The query is basically getting events from lot of different cloud stacks we have and then I sort the data before displaying in the dashboard. When I run the search, I see lot of events getting processed (in the order around 10 million+) with no event sampling. So wondering if there is anything i can do to speed things up.
in the order around 10 million+
Too many.
What are you searching for?
If you don't narrow your search, it won't get faster.
@balash1979 unfortunately community experts would not be able to assist you with your question without having the understanding of your data and Splunk search that you are running. There are several possibilities of optimizing search query depending on data, correlation and SPL that you have. Refer to one of my older answers for some of these: https://answers.splunk.com/answers/653570/what-is-the-best-way-to-learn-and-master-splunk-se.html#an...