Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

In dashboards we have lookups which is slow so need an alternative approach like summary index or KV store

VijaySrrie
Builder
‎03-03-2021 06:56 AM

Hi,

In dashboards we have lookups which is slow so need an alternative approach like summary index or KV store

The lookup volume is sooo high

We tried to go with summary index which uses subsearches, but there is a limit, were subsearches > 50K will be skipped so we were not able to go with summary index.

Is there any other possible ways?

Labels (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-30-2021 02:49 PM

When using KV store be sure to consider using accelerated fields

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usingconfigurationfiles/#...

they can significantly improve performance if set up correctly.

 

0 Karma
Reply

Funderburg78
Path Finder
‎03-30-2021 05:43 AM

One way is to create a kvstore Review this article and it also links to the Splunk Docs: https://community.splunk.com/t5/Knowledge-Management/How-do-I-view-use-my-Splunk-KV-store-collection...

 

The quicker easier lazier and not best way it to build reports which generate data locally on the searchhead to a csv file using |outputlookup or |outputcsv and a file name.  it would look like this:

index=whatever  "your other code here"  | outputlookup mydata.csv

then on your dashboard you call the csv file data and sort or table or count whatever...

so for a table view I do:

|inputlookup mydata.csv | table field 1 field 3, field 5

If you are creating large data files you may want to use inputcsv instead as this will not replicate across distributed systems.  There are downsides to inputcsv also!

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Inputlookup

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Inputcsv

https://community.splunk.com/t5/Archive/what-is-the-difference-between-inputcsv-and-inputlookup/m-p/...

 

Good luck!  And don't forget Karma if this helped you!!!

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...