- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Optimizing Dashboard Searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard that has 9 searches. I currently extract my graph from 6 Summary Indexes. 5 of the Summary Indexes come from the same data set and 3 of the searches is the exact same data except that it is grouped.
0) I have done a pre-search for the 3 pairs of data. (aka I have figured out how to methods, barely)
1) I would like to get this to 3 searches so that normal users can display the dashboard. What constitutes a search: a data base search? or does the post search also count?
2) I did some rough counts, If I merge the 5 summary-indexes into one, there will be about 300 events per minute. Does this help or hurt the dashboard?
3) Some of the charts I can only get 2 hours worth of data to display instead of 4 which the others can get, I don't know where I am running into this limitation. (I get everything when I do the origional dashboard with 9 searches.)
4) when doing a pre-search on the dashboard can you do a double pre-search? This would help the pairs of data I refered to above.
I feel that I am running into some road blocks as I am transfering my view form simple to optimized.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I did pre-searches so that I can display the data in two ways, a sumary and a more granularity. I was able to cut my searches in half. I also ran into the limit of the graphing display, so instead of setting a time limit, I let the graphing program do more of the work. I was also running into the 10,000 limit for GUI
I was also able to merge several time ranges into one view by use of a time selector.
In general I learned a bit since I posted this, and wanted to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I did pre-searches so that I can display the data in two ways, a sumary and a more granularity. I was able to cut my searches in half. I also ran into the limit of the graphing display, so instead of setting a time limit, I let the graphing program do more of the work. I was also running into the 10,000 limit for GUI
I was also able to merge several time ranges into one view by use of a time selector.
In general I learned a bit since I posted this, and wanted to close the question.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
