Dashboards & Visualizations

Optimising the Populating of Data in my Dashboard Panel for Daily size Count of Events Indexed for 7 days.

bapun18
Communicator

Hi,
I have prepared a Weekly Monitoring dashboard for Size count of Events Ingested Daily for a specific index and sourcetypes But as it populates it takes alot of time to load as the Count of eevents is pretty huge. I can't use tstats as i used eval exists in the query for summation purpose .Suggest me any solutions to Quick run the dashboard panel populated data .
Below is the Query which i have implemented :

index=myvdf_smapi_de_db sourcetype=smapi_collector_android_myvf_de
| eval bytes=len(_raw)
| bucket span=1d _time
| stats sum(bytes) by _time

Time stamp i need is weekly.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi bapun18,
did you explored the summary index approach?
In few words, you have to schedule (e.g. every night at 1.00 AM) a search putting results in a summary index and then you can use this index for your searches with very much performant time.
So you could schedule at 01.00 AM a search like the following:

index=myvdf_smapi_de_db sourcetype=smapi_collector_android_myvf_de earliest=-d@d latest=@d
| eval bytes=len(_raw)
| bucket span=1d _time
| stats sum(bytes) as bytes by _time
| eval Mbytes=bytes/1024
| collect index=my_summary

Then run a search, like the following:

index=my_summary earliest=-7d@d latest=@d
| table _time Mbytes

Obviously if there are additional information useful for you, you can add tho the scheduled search.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bapun18,
did you explored the summary index approach?
In few words, you have to schedule (e.g. every night at 1.00 AM) a search putting results in a summary index and then you can use this index for your searches with very much performant time.
So you could schedule at 01.00 AM a search like the following:

index=myvdf_smapi_de_db sourcetype=smapi_collector_android_myvf_de earliest=-d@d latest=@d
| eval bytes=len(_raw)
| bucket span=1d _time
| stats sum(bytes) as bytes by _time
| eval Mbytes=bytes/1024
| collect index=my_summary

Then run a search, like the following:

index=my_summary earliest=-7d@d latest=@d
| table _time Mbytes

Obviously if there are additional information useful for you, you can add tho the scheduled search.

Ciao.
Giuseppe

0 Karma

bapun18
Communicator

Hi Arjun ,
Thanks for the Response but i was wondering apart from creating a summary index for a single panel data of the the whole dashboard isn't their any method to fine tune the query and load the dashboard panel data quickly like Some Splunk commands similar to Tstats which considers certain evaluation as well as optimize the result time.

0 Karma

bapun18
Communicator

Hi gcusello ,
Sorry wrongly posted your name.

0 Karma

arjunpkishore5
Motivator

This data is already available in the _internal index. For weekly, set your span to 1w

index=_internal source=*license_usage.log idx=myvdf_smapi_de_db st=smapi_collector_android_myvf_de 
| bucket span=1w _time 
| stats sum(b) by _time

Hope this helps.

Cheers

0 Karma

bapun18
Communicator

Hi Arjun ,
Nothing is getting populated if i run the above mentioned query.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...