Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a concept of caching in Splunk 6.2.1 or the option of using a lookup table to make a dashboard drop-down load faster?

vdevarayan
Path Finder
‎04-01-2015 08:24 PM

I have 50+ million lines forwarded to an index.
It is in csv format and here is an example:
timestamp,teamname,buildnumber,url,latency,responsecode, (and few other fields)

Now, i am creating a dashboard with 2 drop-downs at the top.
First drop-down is unique teamname
Second drop-down is unique buildnumber based on the teamname (first drop-down)

The issue i have is that the first drop-down takes minutes to load.
Is there a way to make this any faster?
Is it possible to cache this ?
or using a lookup table an option here?

I am on version 6.2.1

Thanks

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-13-2015 11:37 PM

You could schedule a saved search which outputs the teamnames to csv and load those into your dropdown (http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Outputcsv and http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/inputlookup).
Depending on how fresh your data has to be, you could run this search once per night, so your dropdown has results that are up to date each day. If you need more recent (i.e., hourly) data, you could also do a second search over a timeframe of the last 24 hours which starts on loading the dashboard and conditionally add any new results from that search to your dropdown dynamically.

But if I understood your sitation correctly, you have a large data basis with many "historic" events, so it may be more efficient to do a search over all your data once to get a basis for the teamnames and then only search once per day for any new entries which could then be added to your list teamnames. I am not sure if you need to do this by hand (e.g. create a csv file), or if this is somehow inbuilt with accelerated splunk reports.

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...