Splunk Search

How to optimize my dashboard panel

klim
Path Finder

I have a search that gets the top users over a long periods of time . It also displays the most common field X value which can be any value.

So it would be something like: index=some_index | stats count mode(field_X) by user | sort - count | head 10

That takes 30 seconds for 5 million events for 1 day of data. I want to run this for longer periods of time like a month or even longer.

Is the best method to increase performance to just summary index the above example but just removing the top 10 part? 

Labels (2)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @klim ...actually you should provide us more details..

1.  how big is the index you are querying, approx

2. the dashboard got how many panels.. the dashboard SPL query if you can share with us, that would be perfect. 

3. old classic dashboard or the new dashboard studio ?!?!

4. are you using "base search"?..if not, then.. 
if you have got multiple panels, then, using a "base search" to create the base results and on each panel you can re-use the base search results and do remaining tasks.. that would increase the performance pretty good. you can search for base search and you can find many posts here this community. 

if u r having any specific 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

klim
Path Finder

@Anonymous 

The index is ~1.5 TB.

I can't share the dashboard panels with you but they don't use the same base search. It is a bunch of panels that show the top counts of fields with high variance. But even with just one of these searches how could we improve performance so that it finishes a month of data in a reasonable amount of time?

I am using the old dashboard but could use the new one.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...