Splunk Search

Scheduled searches question

Path Finder

I have a dashboard with 10 single value boxes and I refresh it every minute.
Every single value box search my indexes and count some informations. I was wondering what will be more efficient. Select all those searches as scheduled search or leave it as it is without scheduling?
If I refresh my dashboard there will be downloaded result of last scheduled search of search will gonna run in real-time?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Depending how the searches are scheduled. If a saved result from a previous run already exists in the dispatch for the correct time range, then it will be reused.

example : mysearch earliest=-1d@d latest=@d (equivalent to yesterday) will be reused.
but mysearch earliest=-24h@h latest=now ( last 24 hours) will require a new execution every single refresh.
also any realtime will require a complete new execution (this is why you don't refresh a real time dashboard like an historical dashboard)

so the smart move for heavy not realtime dashboard, is to have regular scheduled searches with a long interval (not every minutes) storing the results in : schedules searched results, or lookups or summary data, and use this data to populate the dashboard.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Depending how the searches are scheduled. If a saved result from a previous run already exists in the dispatch for the correct time range, then it will be reused.

example : mysearch earliest=-1d@d latest=@d (equivalent to yesterday) will be reused.
but mysearch earliest=-24h@h latest=now ( last 24 hours) will require a new execution every single refresh.
also any realtime will require a complete new execution (this is why you don't refresh a real time dashboard like an historical dashboard)

so the smart move for heavy not realtime dashboard, is to have regular scheduled searches with a long interval (not every minutes) storing the results in : schedules searched results, or lookups or summary data, and use this data to populate the dashboard.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

No you will have to snap your time range to the minute (or the hour, day, etc...)
example : earliest=-20m@m latest=-1m@m
then the results will still be valid for the next minute.

see http://docs.splunk.com/Documentation/Splunk/4.3.4/User/ChangeTheTimeRangeOfYourSearch#Specify_relati...

It is more useful for longer periods, by example (earliest=-20m@m latest=-5m@m, and have it run every 5 min)

If you really want to update every minutes, then it will have to run every minute...

Path Finder

So if I set mysearch earliest=-20m latest=-1m will be there used a result from a scheduled search?

Is there an option something like that?:
1) scheduled search write result to a table/file
2) during dashboard refresh result is read from table/file instead of excecuting search
?? : )

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!