Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Optimizing SLA Tracking - Caching/Indexing or Saving Results?

interrobang
Explorer
‎06-18-2023 10:06 PM

Hi everyone, I have a pretty huge multisearch query with multiple inputlookups, untangling the spaghetti monster which is my Kafka environment, and multiple applications usage thereof across a huge number of microservices.

The query calculates latency based on a combination of metrics at each point (CDC of source db, and prometheus details of producer to consumer metrics, and to final destination db) to give a source to destination latency for a huge number of topics. This makes up the base search of a dashboard, to provide latency and then SLA% per app. So ppl can select from a dropdown and see, oh Kafka for Application X is running at avg 1.5s latency, and past 24hours the SLA threshold for AppX is 2s and it's SLA% is 99.98 over that.

Now this is pretty great considering the heavy lifting the main query is doing in Splunk, and it gives pretty quick real time or hourly / daily SLA stats output. However, even though it is for a health metric & problem detection/resolution -- it is SLA and ultimately theres a desire for some level of historical tracking approaching reporting level. With visibility over longer periods like weekly & monthly  & quarterly for SLA performance ...This is where things start to slow, and also the number of applications/complexity of Kafka this query will target, is only going to scale further.

...So this is a bit of an esoteric question, but i'm wondering if theres any Splunk dashboard options or approach to optimize something like this. Traditionally of course with things like network traffic, say Cacti or something more suited to that, this kind of thing would be pulling results from a database, reducing the heavy crunching all the time. 

Is there any approach I could use for a dashboard that might save results or data to make this more efficient to that end? Could the SLA% results start being saved or indexed? Or say upon first load, in the background its crunching the latency results going back in time from now to -1month, and the other dash searches are using those results to say, report on the daily/weekly results? Or anything else.. Up for any ideas because aside from base search id referencing in dash panels, i havent approached anything like this with Splunk as yet..

Labels (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2023 11:48 PM

You could use summary indexing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...