I have the following source in my dashboard. The dashboard loads fine but it takes a long time (around 5 to 10 mins) for the search to complete. I am interested in looking at last 24 hrs data in this panel. Is there any options that I can use in my source to speed things up ?
<form theme="dark"> <fieldset submitButton="false"> <input type="time" token="field1"> <label>TimeRange</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>MY ENTIRE QUERY SEARCH</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel>
@balash1979 unfortunately community experts would not be able to assist you with your question without having the understanding of your data and Splunk search that you are running. There are several possibilities of optimizing search query depending on data, correlation and SPL that you have. Refer to one of my older answers for some of these: https://answers.splunk.com/answers/653570/what-is-the-best-way-to-learn-and-master-splunk-se.html#an...
You will need to tell us about what your actual search is, what version of Splunk you're using, your architecture, your data ingest volumes etc etc before there's any way we can help with a query this generic.
I actually dont know the architecture as I personally dont manage the splunk. Not sure about ingest volumes.
The query is propriety and hence not able to share. The query is basically getting events from lot of different cloud stacks we have and then I sort the data before displaying in the dashboard. When I run the search, I see lot of events getting processed (in the order around 10 million+) with no event sampling. So wondering if there is anything i can do to speed things up.
WIthout seeing your search, as others have commented, it's hard to know how to speed things up.
As a suggestion: create a scheduled search to run each day.
Then use loadjob to load the results in:
| loadjob savedsearch="yoursusername:yourapp:yoursearchname"
| loadjob savedsearch=burwell:search:mysearch1
You can add
events=false to speed things up