Splunk Search

How to accelerate parameterized searches

despachoSTD
Explorer

Hi all,

I have a couple applications that each of them have six or seven dashboards, with multiple users accesing simultaneously.
All of the dashboards are similar in structure, consisting of a good number of complex searches. I have tried to use saved searches where possible, since the load time of the dashboards is far from acceptable, however, I do not know how to apply this technique to the vast majority of them, since most of the searches are parameterized with tokens that receive a value when invoked from a drilldown from another dashboard. Is there a way to accelerate these searches? Is it possible to save a parameterized search? If not, is there another mechanism to improve the performance?

Thanks in advance.

0 Karma
1 Solution

Jeremiah
Motivator

There are a couple of things you could try.

  • You can use summary searches, and then in your dashboards search the summarized data. You'll need to include any fields you might want to search by in your summary search, otherwise that field would be lost.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Usesummaryindexing

  • Accelerated data models will in general make dashboard and reports against the data model faster.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Acceleratedatamodels

  • You could invoke your saved searches on a schedule, and then use the loadjob command to load the results and pipe them to another search/transforming command using your tokens.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Loadjob

  • You could try to use accelerated searches as your primary search and then use the tokens in post-process searches in your panels. There's a section on using post-process searches in the link below. This would probably only work if a) your base accelerated search returned transformed data (ie, a stats table), b) you were selecting out a subset of rows using a token, and c) you needed multiple panels referencing the same same base search.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/Savedsearches

Which option you choose depends on what your searches look like, how much work you want Splunk to perform in the background, and how much control you want over the acceleration.

View solution in original post

Jeremiah
Motivator

There are a couple of things you could try.

  • You can use summary searches, and then in your dashboards search the summarized data. You'll need to include any fields you might want to search by in your summary search, otherwise that field would be lost.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Usesummaryindexing

  • Accelerated data models will in general make dashboard and reports against the data model faster.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Acceleratedatamodels

  • You could invoke your saved searches on a schedule, and then use the loadjob command to load the results and pipe them to another search/transforming command using your tokens.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Loadjob

  • You could try to use accelerated searches as your primary search and then use the tokens in post-process searches in your panels. There's a section on using post-process searches in the link below. This would probably only work if a) your base accelerated search returned transformed data (ie, a stats table), b) you were selecting out a subset of rows using a token, and c) you needed multiple panels referencing the same same base search.

http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/Savedsearches

Which option you choose depends on what your searches look like, how much work you want Splunk to perform in the background, and how much control you want over the acceleration.

View solution in original post