Dashboards & Visualizations

Slow Panel on Dashboard

POR160893
Builder

Hi,

I have a dashboard with a number of panels. One of the panels needs to output all events for an index under certain conditions like certain src, port, sourcetype, etc.

The other panels in the dashboard uses base searches and outputs only counts. These panels work.

However, the panel outputting the events uses a saved search and NEVER finishes, even when I change the time range to VERY small time ranges like 30 seconds. I need the panel's search to complete as the stakeholder wants to export the panel's results..

The following is the slow panel on the Dashboard:
Slow_Panel_Calling_SavedSearch.PNG

And here is the respective Saved Search:
Slow_SavedSearch.PNG

Can you please help? 


Thank you,
Patrick

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@POR160893 

From your comments, it appears that your tokens in the dashboard are of the form

field=value

rather than just the value, i.e. the token $sourcetype_tok$ is actually sourcetype=bla_bla_bla

Your panel has no time range, so should probably use the time range from the saved search - did you change the time in the saved search to 30 seconds?

You should look at the job inspector for the running job - that will give you an indication of what is going wrong and where the search is stuck - if that is the case.

Trying something like transaction or join to SOLVE a suspected performance issue is probably not the place to start - they have their own performance implications.

Your saved search is very basic. Is there even a reason to use a saved search - why not copy the saved search into the dashboard and give it a time range and you can see if it finishes there.  At least that is a simple way to get a better understanding if the saved search mechanism, rather than the search itself is the issue.

Generally if it's not finishing, it could be a data size issue, which might indicate a time range problem.

 

0 Karma

BahadirS
Path Finder

Hello @POR160893,

It seems like your filters are not working correctly. Can you add these to your saved search?

index=firewal sourcetype=$sourcetype_tok$ dest=$dest$ ...

0 Karma

POR160893
Builder

I cannot do this as then it would be sourcetype = sourcetype = $sourcetype$.

The panels are working, it is just that the 2 events panels NEVER finish finish. I need them to finish loading so the user can export the results from the panel.

Can the transaction command help and if so, how can I incorporate this into my search?






0 Karma

BahadirS
Path Finder

Can you click magnifying glass on the slow panel and share the search after tokens replaced with values?

0 Karma

POR160893
Builder


The panels all work, except the 2 event panels never finish loading, so the export option is never enabled for the user.

Could the transaction command help potentially and how could I use this?

0 Karma

BahadirS
Path Finder

On the panel instead of sourcetype_tok=$sourcetype_tok$ on the panel, can you try it without sourcetype_tok. And same with other fields. 

| savedsearch searchname $sourcetype_tok$ ...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @POR160893,

you have two solutions:

The first, if possible, is to optimize your search or change its logic (e.g. if you use transaction or join).

Se thesond is accelerating your search, following one ot the methods described at https://docs.splunk.com/Documentation/Splunk/8.2.5/Knowledge/Aboutsummaryindexing or at https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports or using an accelated DataModel (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels).

Ciao.

Giuseppe

0 Karma

POR160893
Builder

Hi,

I can I incorporate the transaction command into my. query then? I have been trying with no results.

As for the acceleration, I appear to not have permissions to accelerate the dashboard or even the saved searches.

(I gave you Karma for your last port though 😀)

Thanks,

Patrick 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...