Splunk Enterprise

help on a dashboard performances

jip31
Motivator

hi

I use a dashboard with 17 panels (12 single panels and 5 table panels) that works in real-time

In this case, real time means that I can use scheduled serarch because I need to have the last events every time I launch my dashboard

By default, my timepicker is on the last 24 hours

The index is always the same but I use 10 different sourcetype

I must imperatively use real time

Most of the time I use post process search in order to avoid to query the index and the sourcetype many times

The problem I have is a slow display, sometimes it works almost fine and most of the time I have a message "waiting for data" or "waiting for queued job to start"

I also think that since 2 days there is slowness issues behind indexers because I have tested other dashboards and they are slow too..

What are best practices for dashboard in real time please?

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Searching over a 24-hour time window means this is not a real-time dashboard.  Real-time searches display events as soon as they arrive whereas this dashboard has to be re-run to detect new events.

A dashboard that is "waiting for data" is waiting for results to come back from the indexers.  The delay could be caused by an inefficient search, by a large quantity of data being searched, or by indexers that are too busy.

The "waiting for queued job to start" message means there are other searches taking place and the dashboard has to wait for resources to be available.  That can happen when the dashboard runs at a busy time, like the top of an hour.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searching over a 24-hour time window means this is not a real-time dashboard.  Real-time searches display events as soon as they arrive whereas this dashboard has to be re-run to detect new events.

A dashboard that is "waiting for data" is waiting for results to come back from the indexers.  The delay could be caused by an inefficient search, by a large quantity of data being searched, or by indexers that are too busy.

The "waiting for queued job to start" message means there are other searches taking place and the dashboard has to wait for resources to be available.  That can happen when the dashboard runs at a busy time, like the top of an hour.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...