Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to accelerate parameterized searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have a couple applications that each of them have six or seven dashboards, with multiple users accesing simultaneously.
All of the dashboards are similar in structure, consisting of a good number of complex searches. I have tried to use saved searches where possible, since the load time of the dashboards is far from acceptable, however, I do not know how to apply this technique to the vast majority of them, since most of the searches are parameterized with tokens that receive a value when invoked from a drilldown from another dashboard. Is there a way to accelerate these searches? Is it possible to save a parameterized search? If not, is there another mechanism to improve the performance?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of things you could try.
- You can use summary searches, and then in your dashboards search the summarized data. You'll need to include any fields you might want to search by in your summary search, otherwise that field would be lost.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Usesummaryindexing
- Accelerated data models will in general make dashboard and reports against the data model faster.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Acceleratedatamodels
- You could invoke your saved searches on a schedule, and then use the loadjob command to load the results and pipe them to another search/transforming command using your tokens.
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Loadjob
- You could try to use accelerated searches as your primary search and then use the tokens in post-process searches in your panels. There's a section on using post-process searches in the link below. This would probably only work if a) your base accelerated search returned transformed data (ie, a stats table), b) you were selecting out a subset of rows using a token, and c) you needed multiple panels referencing the same same base search.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/Savedsearches
Which option you choose depends on what your searches look like, how much work you want Splunk to perform in the background, and how much control you want over the acceleration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of things you could try.
- You can use summary searches, and then in your dashboards search the summarized data. You'll need to include any fields you might want to search by in your summary search, otherwise that field would be lost.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Usesummaryindexing
- Accelerated data models will in general make dashboard and reports against the data model faster.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Acceleratedatamodels
- You could invoke your saved searches on a schedule, and then use the loadjob command to load the results and pipe them to another search/transforming command using your tokens.
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Loadjob
- You could try to use accelerated searches as your primary search and then use the tokens in post-process searches in your panels. There's a section on using post-process searches in the link below. This would probably only work if a) your base accelerated search returned transformed data (ie, a stats table), b) you were selecting out a subset of rows using a token, and c) you needed multiple panels referencing the same same base search.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Viz/Savedsearches
Which option you choose depends on what your searches look like, how much work you want Splunk to perform in the background, and how much control you want over the acceleration.
Splunk Observability for AI
[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
