Splunk Search

Scheduled searches question

bckq
Path Finder

I have a dashboard with 10 single value boxes and I refresh it every minute.
Every single value box search my indexes and count some informations. I was wondering what will be more efficient. Select all those searches as scheduled search or leave it as it is without scheduling?
If I refresh my dashboard there will be downloaded result of last scheduled search of search will gonna run in real-time?

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Depending how the searches are scheduled. If a saved result from a previous run already exists in the dispatch for the correct time range, then it will be reused.

example : mysearch earliest=-1d@d latest=@d (equivalent to yesterday) will be reused.
but mysearch earliest=-24h@h latest=now ( last 24 hours) will require a new execution every single refresh.
also any realtime will require a complete new execution (this is why you don't refresh a real time dashboard like an historical dashboard)

so the smart move for heavy not realtime dashboard, is to have regular scheduled searches with a long interval (not every minutes) storing the results in : schedules searched results, or lookups or summary data, and use this data to populate the dashboard.

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

Depending how the searches are scheduled. If a saved result from a previous run already exists in the dispatch for the correct time range, then it will be reused.

example : mysearch earliest=-1d@d latest=@d (equivalent to yesterday) will be reused.
but mysearch earliest=-24h@h latest=now ( last 24 hours) will require a new execution every single refresh.
also any realtime will require a complete new execution (this is why you don't refresh a real time dashboard like an historical dashboard)

so the smart move for heavy not realtime dashboard, is to have regular scheduled searches with a long interval (not every minutes) storing the results in : schedules searched results, or lookups or summary data, and use this data to populate the dashboard.

0 Karma

yannK
Splunk Employee
Splunk Employee

No you will have to snap your time range to the minute (or the hour, day, etc...)
example : earliest=-20m@m latest=-1m@m
then the results will still be valid for the next minute.

see http://docs.splunk.com/Documentation/Splunk/4.3.4/User/ChangeTheTimeRangeOfYourSearch#Specify_relati...

It is more useful for longer periods, by example (earliest=-20m@m latest=-5m@m, and have it run every 5 min)

If you really want to update every minutes, then it will have to run every minute...

bckq
Path Finder

So if I set mysearch earliest=-20m latest=-1m will be there used a result from a scheduled search?

Is there an option something like that?:
1) scheduled search write result to a table/file
2) during dashboard refresh result is read from table/file instead of excecuting search
?? : )

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...