Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to optimize my dashboard panel

klim
Path Finder
‎06-09-2023 11:29 AM

I have a search that gets the top users over a long periods of time . It also displays the most common field X value which can be any value.

So it would be something like: index=some_index | stats count mode(field_X) by user | sort - count | head 10

That takes 30 seconds for 5 million events for 1 day of data. I want to run this for longer periods of time like a month or even longer.

Is the best method to increase performance to just summary index the above example but just removing the top 10 part? 

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-09-2023 02:49 PM

Hi @klim ...actually you should provide us more details..

1.  how big is the index you are querying, approx

2. the dashboard got how many panels.. the dashboard SPL query if you can share with us, that would be perfect. 

3. old classic dashboard or the new dashboard studio ?!?!

4. are you using "base search"?..if not, then.. 
if you have got multiple panels, then, using a "base search" to create the base results and on each panel you can re-use the base search results and do remaining tasks.. that would increase the performance pretty good. you can search for base search and you can find many posts here this community. 

if u r having any specific 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

klim
Path Finder
‎06-09-2023 03:02 PM

@Anonymous 

The index is ~1.5 TB.

I can't share the dashboard panels with you but they don't use the same base search. It is a bunch of panels that show the top counts of fields with high variance. But even with just one of these searches how could we improve performance so that it finishes a month of data in a reasonable amount of time?

I am using the old dashboard but could use the new one.

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top