Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- XML menu tuning
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jamesdon
Path Finder
06-30-2011
12:48 PM
I am trying to get my menus to load faster. It seems like the searches are searching over all time, because it was really fast when I first started collecting data. I tried to move the Time Picker to the top of the search, but that didn't seem to help it load any faster.
Does anyone have advice on how to speed them up?
<?xml version="1.0"?>
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Active VPN users</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="label">Search</param>
<param name="default">*</param>
<param name="useOwnSubmitButton">False</param>
<!-- HiddenIntention that inserts index="vpn_access". -->
<module name="HiddenIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="index">vpn_access</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags"><list>indexed</list></param>
</param>
<!-- Search to build the drop down menu items. -->
<module name="SearchSelectLister" layoutPanel="splSearchControls-inline">
<param name="label">VPN Concentrator</param>
<param name="settingToCreate">element_name</param>
<param name="search">index=vpn_access element_name=* | stats count by element_name | sort element_name</param>
<param name="searchWhenChanged">True</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">ALL</param>
<param name="value">*</param>
</list>
</param>
<param name="selected">ALL</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">element_name</param>
<param name="value">element_name</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">element_name</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="element_name">$target$</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags"><list>indexed</list></param>
</param>
<!-- Search to build the drop down menu items. -->
<module name="SearchSelectLister" layoutPanel="splSearchControls-inline">
<param name="label">Group Policy</param>
<param name="settingToCreate">group_policy</param>
<param name="search"> | stats count by group_policy | sort group_policy</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">ALL</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">group_policy</param>
<param name="value">group_policy</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">group_policy</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="group_policy">$target$</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags"><list>indexed</list></param>
</param>
<!-- Search to build the drop down menu items. -->
<module name="SearchSelectLister" layoutPanel="splSearchControls-inline">
<param name="label">Username</param>
<param name="settingToCreate">username</param>
<param name="search"> | stats count by username | sort username</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">ALL</param>
<param name="value">*</param>
</list>
</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">username</param>
<param name="value">username</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">username</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="username">$target$</param>
</param>
<!-- tells the addterm intention to put our term in the first search clause no matter what. -->
<param name="flags"><list>indexed</list></param>
</param>
<!-- Time picker. -->
<module name="TimeRangePicker">
<param name="label">Time Picker</param>
<param name="selected">Last 4 hours</param>
<param name="searchWhenChanged">True</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<!-- Google Map. -->
<module name="GenericHeader" layoutPanel="graphArea">
<param name="label">Google Map</param>
</module>
<module name="HiddenSearch" layoutPanel="graphArea" autoRun="true">
<param name="search"> | dedup vpn_index | localop | geoip public_ip</param>
<module name="GoogleMaps">
<param name="drilldown">true</param>
<param name="drilldown_field">public_ip</param>
<param name="doubleClickZoom">off</param>
<param name="height">600px</param>
<param name="mapType">roadmap</param>
<param name="scrollwheel">off</param>
<param name="streetViewControl">on</param>
<!-- Search results in a table that updates with clicks. -->
<module name="HiddenSearch" autoRun="False">
<param name="search">index=vpn_access $clientips$</param>
<module name="ConvertToIntention">
<param name="settingToConvert">maps.drilldown</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="clientips">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="JobProgressIndicator">
</module>
<module name="HiddenPostProcess">
<param name="search">dedup vpn_index | localop | geoip public_ip | rename public_ip as "public ip" assigned_ip as "assigned ip" public_ip_country_code as code public_ip_country_name as country public_ip_city as city public_ip_region_name as "state / region" bytes_rx as "bytes rx" bytes_tx as "bytes tx" | table username "public ip" "assigned ip" country code city "state / region" "bytes rx" "bytes tx" duration | sort - bytes_tx</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<param name="count">1000</param>
<param name="entityName">results</param>
<module name="HiddenSearch">
<param name="search">eventtype=public_ip="$public_ip$"</param>
<module name="ConvertToIntention">
<param name="settingToConvert">click.value</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="public_ip">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="popup">true</param>
</module>
</module>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="label">View events...</param>
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hexx
Splunk Employee
07-07-2011
06:09 PM
I am counting 3 pull-down menus populated by cascading searches :
- 1st pull-down :
index=vpn_access element_name=* | stats count by element_name | sort element_name - 2nd pull-down :
index=vpn_access $element_name$ | stats count by group_policy | sort group_policy - 3rd pull-down :
index=vpn_access $element_name$ $group_policy$ | stats count by username | sort username
As the size of your vpn_access index grows, the drop-down population will become more and more costly, as these searches are currently rigged to iterate through all events of that index.
I have one of two recommendations :
Use the
earliestandlatestparameters of theSearchSelectListermodule to restrict the time-range of the pull-down populating searches. See the module reference for SearchSelectLister for more information.If you absolutely need for the pull-down populating searches to iterate through all of the information contained in the
vpn_accessindex, the best way to go is to set up a summary index from which these searches can generate the pull-down values. For more information on how to achieve this, see this topic in the Knowledge Manager manual.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hexx
Splunk Employee
07-07-2011
06:09 PM
I am counting 3 pull-down menus populated by cascading searches :
- 1st pull-down :
index=vpn_access element_name=* | stats count by element_name | sort element_name - 2nd pull-down :
index=vpn_access $element_name$ | stats count by group_policy | sort group_policy - 3rd pull-down :
index=vpn_access $element_name$ $group_policy$ | stats count by username | sort username
As the size of your vpn_access index grows, the drop-down population will become more and more costly, as these searches are currently rigged to iterate through all events of that index.
I have one of two recommendations :
Use the
earliestandlatestparameters of theSearchSelectListermodule to restrict the time-range of the pull-down populating searches. See the module reference for SearchSelectLister for more information.If you absolutely need for the pull-down populating searches to iterate through all of the information contained in the
vpn_accessindex, the best way to go is to set up a summary index from which these searches can generate the pull-down values. For more information on how to achieve this, see this topic in the Knowledge Manager manual.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
