Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pivot loading splunk excessively ?

agneticdk
Path Finder
‎11-06-2013 02:12 AM

Hi

In the example in 6.0 on the audit log: Splunk's Internal Audit Logs - SAMPLE and looking on the pivot of "Audit" - Under the menu "Audit" in top right corner there is the Acceleration, Earliest and Started.

Earliest is when the splunk installation was done, because the data model is over "All time" (no earliest parameter defined). So thats a long way back. And now I can see the accelereation just chews away.

If I make my own data model without earliest paramter it will always take "All time" I guess.

I have to be very careful on my pivot datamodels, because if I create a few datamodels and grant access to those for lets say 10 people, when they start clicking around in the Pivot menus these acceleration searches will run for each user, on each table or chart ? Resulting in my search head and indexers doing a lot of work, as it will continue running until either the search times out or finishes on "All time", for each user ?

One way to limit this is to grant users only access to a limited timeframe, or by adding "earliest" to my datamodel.

Any comments ?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎11-06-2013 08:26 AM

The acceleration searches should run only once for each user's session in the pivot interface, they do not need to be re-run for each table and chart that is created. And they should expire soon after each user stops using the pivot interface. I wouldn't expect the load on the search head to be much different than from 10 users running searches over all time in the search interface.

Another way to limit the load would be to accelerate the data model. Then all users of pivot are actually sharing the results of a single acceleration search.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎11-06-2013 08:26 AM

The acceleration searches should run only once for each user's session in the pivot interface, they do not need to be re-run for each table and chart that is created. And they should expire soon after each user stops using the pivot interface. I wouldn't expect the load on the search head to be much different than from 10 users running searches over all time in the search interface.

Another way to limit the load would be to accelerate the data model. Then all users of pivot are actually sharing the results of a single acceleration search.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...