Splunk Search

How to improve performance of a shared dashboard with panels running real-time searches if viewed by many users?

Communicator

We have created a Dashboard with some panels showing real-time traffic. When someone opens the this dashboard, it takes long time to display data. Also it creates another Job in Splunk. Is this expected behavior? When dashboard is viewed by many people, it impacts Splunk performance. Is there any way to implement 'shared' dashboard in better ways

0 Karma

SplunkTrust
SplunkTrust

You can schedule the RT search. Then everyone opening the dashboard will hook into the existing job instead of launching a new one, and will immediately get the job's current results.

Communicator

Thanks Martin.
If I schedule RT search to run it every 5 minutes, then it won't be real-time?

0 Karma

Champion

Setting the cron schedule on an RT search will leave the search running in real-time. For RT searches, the cron schedule indicates how often Splunk will kick off the search if it is not already running. If your RT search fails, the cron schedule will indicate how often Splunk will check and restart it if needed. I usually set scheduled RT searches to have a cron schedule of */5 * * * *.