Dashboards & Visualizations

My dashboard is very slow

EVACG
Observer

Good morning, I have created a dashboard with multiple searches and when I change a box the rest wait to do pooling and it is very slow. The data file is very small, it is a local csv. My license is free, I think I do the searches wrong.

 

Example

 

<form theme="dark">
<label>Almacenamiento</label>
<description>Cuadro de Mando Almacenamiento Prosegur</description>$Pais$<fieldset submitButton="false" autoRun="false">
<html>
<img src="/static/app/search/logoprosegur_3.PNG?updated={Now}" style="max-width:250%;width:50;height:50”;"/>
<div style="display:inline;width:5000px;"/>
<div>
<a title="Esquemas" href="http://10.28.62.77:8000/static/app/search/sede_$Ciudad$.png?updated={Now}" target="_blank">
<img srcset="/static/app/search/sede_$Ciudad$.png?updated={Now}" style="float:right;max-width:10%;width:10;height:10”;"/>
</a>
</div>
</html>
<input type="dropdown" token="Pais" searchWhenChanged="true">
<label>Sede por pais</label>
<fieldForLabel>VendorCountry</fieldForLabel>
<fieldForValue>VendorCountry</fieldForValue>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" |search VendorCity="$Ciudad$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" | stats count by VendorCountry</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">ALL</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="Ciudad" searchWhenChanged="true">
<label>Sede por ciudad</label>#<selectFirstChoice>true</selectFirstChoice>
<fieldForLabel>VendorCity</fieldForLabel>
<fieldForValue>VendorCity</fieldForValue>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv"| search VendorCountry="$Pais$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" |stats count by VendorCity</query>
<earliest>0</earliest>
<latest></latest>

Labels (1)
0 Karma

EVACG
Observer

Hello, I think I have bad searches, adding the index does not solve anything for me. They are searches on the same file. Attack file with my dashboard. Thank

 

<dashboard theme="dark">
<label>Almacenamiento</label>
<description>Cuadro de Mando Almacenamiento Prosegur</description>$Pais$<fieldset submitButton="false" autoRun="false">
<html>
<img src="/static/app/search/logoprosegur_3.PNG?updated={Now}" style="max-width:250%;width:50;height:50”;"/>
<div style="display:inline;width:5000px;"/>
<div>
<a title="Esquemas" href="http://10.28.62.77:8000/static/app/search/sede_$Ciudad$.png?updated={Now}" target="_blank">
<img srcset="/static/app/search/sede_$Ciudad$.png?updated={Now}" style="float:right;max-width:10%;width:10;height:10”;"/>
</a>
</div>
</html>
<input type="dropdown" token="Pais" searchWhenChanged="true">
<label>Sede por pais</label>
<fieldForLabel>VendorCountry</fieldForLabel>
<fieldForValue>VendorCountry</fieldForValue>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" |search VendorCity="$Ciudad$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" | stats count by VendorCountry</query>

<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">ALL</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="Ciudad" searchWhenChanged="true">
<label>Sede por ciudad</label>#<selectFirstChoice>true</selectFirstChoice>
<fieldForLabel>VendorCity</fieldForLabel>
<fieldForValue>VendorCity</fieldForValue>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv"| search VendorCountry="$Pais$" AND Fabricante="$Fabricante$" AND Hostname="$Nombre$" |stats count by VendorCity</query>
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="*">ALL</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="Fabricante" searchWhenChanged="true">
<label>Fabricante</label>#<selectFirstChoice>true</selectFirstChoice>
<choice value="*">ALL</choice>
<fieldForLabel>Fabricante</fieldForLabel>
<fieldForValue>Fabricante</fieldForValue>
<search>
<query> source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv"| search VendorCountry="$Pais$" AND VendorCity="$Ciudad$" AND Hostname="$Nombre$" |stats count by Fabricante</query>
<earliest>0</earliest>
<latest>now</latest>
</search>
<default>*</default>
</input>
<input type="dropdown" token="Nombre" searchWhenChanged="true">
<label>Hostname</label>#<selectFirstChoice>true</selectFirstChoice>
<choice value="*">ALL</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Hostname</fieldForLabel>
<fieldForValue>Hostname</fieldForValue>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv"| search VendorCountry="$Pais$" AND VendorCity="$Ciudad$" AND Fabricante="$Fabricante$" |stats count by Hostname</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>
</fieldset>
<row>
<panel depends="$alwaysHideCSS$">
<html>
<style>
#TBT{
width:20% !important;
}
#TBL{
width:20% !important;
}
#TBA{
width:20%!important;
}
#MAPA{
width:40% !important;
}
</style>
</html>
</panel>
<panel id="TBT">
<single>
<title>TB Total Sede</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats sum(NetoTBTotal)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="height">150</option>
<option name="rangeColors">["0xFFF","0xFF0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel id="TBL">
<single>
<title>TB Total LIbre</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats sum(LibreTBTotal)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="height">150</option>
<option name="rangeColors">["0xFFF","0xff0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel id="TBA">
<single>
<title>TB Total Asignado</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$"| stats sum(NetoTBAsignado)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="height">150</option>
<option name="rangeColors">["0xFFF","0xff0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel id="MAPA">
<title>World PROSEGUR</title>
<map>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats count by VendorCountry |geom geo_countries featureIdField=VendorCountry</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="drilldown">all</option>
<option name="height">250</option>
<option name="mapping.choroplethLayer.colorBins">9</option>
<option name="mapping.choroplethLayer.colorMode">auto</option>
<option name="mapping.choroplethLayer.maximumColor">0xFFFF00</option>
<option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option>
<option name="mapping.choroplethLayer.neutralPoint">0</option>
<option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
<option name="mapping.choroplethLayer.showBorder">0</option>
<option name="mapping.data.maxClusters">100</option>
<option name="mapping.legend.placement">none</option>
<option name="mapping.map.center">(0,0)</option>
<option name="mapping.map.panning">1</option>
<option name="mapping.map.scrollZoom">0</option>
<option name="mapping.map.zoom">1</option>
<option name="mapping.markerLayer.markerMaxSize">50</option>
<option name="mapping.markerLayer.markerMinSize">10</option>
<option name="mapping.markerLayer.markerOpacity">0.8</option>
<option name="mapping.showTiles">1</option>
<option name="mapping.tileLayer.maxZoom">7</option>
<option name="mapping.tileLayer.minZoom">0</option>
<option name="mapping.tileLayer.tileOpacity">1</option>
<option name="mapping.type">choropleth</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
<drilldown>
<link target="_blank">/app/search/alemania</link>
</drilldown>
</map>
</panel>
</row>
<row>
<panel>
<single>
<title>Puertos Total</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats sum(PuetosTotal)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0xFFF","0xff0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>Puertos Libre</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats sum(PuertosLibre)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0xFFF","0xff0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<single>
<title>Puertos Ocupado</title>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats sum(PuertosUsado)</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="rangeColors">["0xFFF","0xff0"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Tabla de datos</title>
<table>
<search>
<query>source="E:\\REPOSITORIO\\Almacenamiento_prosegur.csv" host="ESDC1SVHWO053" sourcetype="csv" |search VendorCountry="$Pais$" VendorCity="$Ciudad$" Fabricante="$Fabricante$" Hostname="$Nombre$" | stats count by Hostname,Fabricante,Model,SerialNumber,NetoTBTotal,NetoTBAsignado,LibreTBTotal,VendorCity,PuetosTotal,PuertosUsado,PuertosLibre</query>
<earliest>0</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</dashboard>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @EVACG,

as I said, using index in each search you'll have faster searches because in this way you limit the amount of data used in the search only to the index where data are stored and don't use all the indexes in the default search path!

Then I see that you have always the same search (the main search) in all your 8 panels, this means that you run in the same time 8 searches.

If you use the Post Process Search, you'll run only one search in the dashboard.

I'm sure that if you use these two approaches, you'll have a faster dashboard.

Then, have you the correct hardware resources (CPUs, RAMs and especially disks with at least 800 IOPS)?

Ciao.

Giuseppe

Tags (1)
0 Karma

EVACG
Observer

I'm going to try and tell you. Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @EVACG,

at first use always the index in your searches, you'll have faster searches!

Then, in the dashboard you shared I see only inputs, is it correct or not?

To better read your shared dashboard's code, it's better to use the "Insert/Edit Code Sample" button (the one with "</>").

Then generally, if you have more panelks in a dashboard, and many of these panels use a similar searchm you could use the Poste Process Search approach to have faster dashboards.

For more infos, you can see at https://docs.splunk.com/Documentation/Splunk/8.1.2/Viz/Savedsearches or in the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...