I have a dashboard with a number of panels. One of the panels needs to output all events for an index under certain conditions like certain src, port, sourcetype, etc.
The other panels in the dashboard uses base searches and outputs only counts. These panels work.
However, the panel outputting the events uses a saved search and NEVER finishes, even when I change the time range to VERY small time ranges like 30 seconds. I need the panel's search to complete as the stakeholder wants to export the panel's results..
The following is the slow panel on the Dashboard:
And here is the respective Saved Search:
Can you please help?
From your comments, it appears that your tokens in the dashboard are of the form
rather than just the value, i.e. the token $sourcetype_tok$ is actually sourcetype=bla_bla_bla
Your panel has no time range, so should probably use the time range from the saved search - did you change the time in the saved search to 30 seconds?
You should look at the job inspector for the running job - that will give you an indication of what is going wrong and where the search is stuck - if that is the case.
Trying something like transaction or join to SOLVE a suspected performance issue is probably not the place to start - they have their own performance implications.
Your saved search is very basic. Is there even a reason to use a saved search - why not copy the saved search into the dashboard and give it a time range and you can see if it finishes there. At least that is a simple way to get a better understanding if the saved search mechanism, rather than the search itself is the issue.
Generally if it's not finishing, it could be a data size issue, which might indicate a time range problem.
It seems like your filters are not working correctly. Can you add these to your saved search?
index=firewal sourcetype=$sourcetype_tok$ dest=$dest$ ...
I cannot do this as then it would be sourcetype = sourcetype = $sourcetype$.
The panels are working, it is just that the 2 events panels NEVER finish finish. I need them to finish loading so the user can export the results from the panel.
Can the transaction command help and if so, how can I incorporate this into my search?
Can you click magnifying glass on the slow panel and share the search after tokens replaced with values?
The panels all work, except the 2 event panels never finish loading, so the export option is never enabled for the user.
Could the transaction command help potentially and how could I use this?
On the panel instead of sourcetype_tok=$sourcetype_tok$ on the panel, can you try it without sourcetype_tok. And same with other fields.
| savedsearch searchname $sourcetype_tok$ ...
you have two solutions:
The first, if possible, is to optimize your search or change its logic (e.g. if you use transaction or join).
Se thesond is accelerating your search, following one ot the methods described at https://docs.splunk.com/Documentation/Splunk/8.2.5/Knowledge/Aboutsummaryindexing or at https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports or using an accelated DataModel (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels).
I can I incorporate the transaction command into my. query then? I have been trying with no results.
As for the acceleration, I appear to not have permissions to accelerate the dashboard or even the saved searches.
(I gave you Karma for your last port though 😀)