Knowledge Management

I have around 10 to 15 panels in a dashboards. please help in creating summary index

DataOrg
Builder

please help me in creating summary index for the 15 panels.
All the datas comes from two indexes which is not saved as report. some panels uses join to both index.
i want to create to optimize since index have to much data.

0 Karma

ssadanala1
Contributor

Indexing the results into summary index might not help because it has too much data .

Populate the dashboard by using reports .

-->create a report

--> accelerate the report and select your summary range .

-->schedule the report for smaller time ranges like an hour as per search completion time .

-->save it and add it to the dashboard .

More info can be found at

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Manageacceleratedsearchsummaries

0 Karma

DataOrg
Builder

hi @ssadanala1
i have created the report which is running on the index but when i tried editing summary indexing option in report page. it is blank option.
when i try with dbquery i could able to see the summary index edition option with checkbox

0 Karma

jaracan
Communicator

Sharing some best practices in building dashboards. Hope this helps you optimize your dashboard.

  1. Global Searches
    Reduce number of searches in dashboards where possible, use global searches with post processing to avoid the same data being requested multiple times.
    Reference:
    http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches#Post-process_searches

  2. Saved searches.
    It always offer the best performance as Splunk will check to see if the same search is already being executed or if it has any saved results and use those. If you just put an inline search then every time the dashboard is loaded it will execute the search, that means that if 4 users access the same dashboard it will fire 4 times. If it was a saved search then all 4 users would load the 1 set of search results.
    Reference:
    http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/Savedsearches

  3. Reports Acceleration
    If your report has a large number of events and is slow to complete when you run it, you may be able to accelerate it so it completes faster when you run it in the future.
    Reference:
    http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Acceleratereports

  4. Scheduled Search and Summary Indexing
    You use summary indexing when you need to perform analysis/reports on large amounts of data over long timespans, which typically can be quite time consuming, and a drain on performance if several users are running similar reports on a regular basis.
    Reference:
    http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports#Enable_summary_indexing

  5. Search Macros
    Use macro commands to reduce the length of search queries, improve readability and consistency between searches. Reference:
    http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usesearchmacros

  6. Lookups
    For static set of types, labels, values or thresholds setup lookup definitions linked to static lookup files. Use these fast lookups in dropdowns or to enrich existing data. Reference:
    http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Useexternalfieldlookups

  7. Accelerate Data Model
    Data model acceleration is a tool that you can use to speed up data models that represent extremely large datasets. After acceleration, pivots based on accelerated data model datasets complete quicker than they did before, as do reports and dashboard panels that are based on those pivots.
    Reference:
    http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Acceleratedatamodels

  8. Dashboard Visualizations
    Keep it simple, stick to Simple XML dashboards where possible and Advanced for specific requirements. Install Splunk’s Dashboard example apps and learn to use them effectively.
    Reference:
    https://splunkbase.splunk.com/app/1603/

0 Karma

DataOrg
Builder

hi @jaracan ,
is we cant configure the summary index on which report is running on the index because i could see summary indexing page is blank but when i do the report on dbquery i could see summary index page

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...