Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best Practices When Dealing with Real Time Searches In Dashboards

daniel333
Builder
‎04-22-2015 02:47 PM

Hello,

This is sorta opened ended. Since I am not too familiar with Real time searches short of just running a quick search.

I have about 40 users, who will on and off want to use a dashboard which is using 3 real time searches. Once more than 4-5 users are using Splunk sorta grinds to a halt. How can I get them to share the same output, rather than running their searches separately?

Any other best practices I should be aware of?
1) Resource estimating
2) Setting time limits?
3) Real time searches and searches/per cpu impact?
4) ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-22-2015 03:02 PM

1 and 3 are the same. Each real-time search consumes 1 CPU core. You can add them as saved searches, and call the saved searches using the tags in your dashboard, rather than an in-line search. That should solve the problem you described, where multiple instances of the dashboard are consuming all of the CPU.

Honestly, best practice is to not use real-time. If you can schedule the searches to run on 1 minute intervals, it's far better utilization of resources.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-22-2015 03:02 PM

1 and 3 are the same. Each real-time search consumes 1 CPU core. You can add them as saved searches, and call the saved searches using the tags in your dashboard, rather than an in-line search. That should solve the problem you described, where multiple instances of the dashboard are consuming all of the CPU.

Honestly, best practice is to not use real-time. If you can schedule the searches to run on 1 minute intervals, it's far better utilization of resources.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...