Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: Do Splunk dbquery jobs count against search limits?

a212830
Champion
‎01-28-2016 12:11 PM

Hi,

I have customers using dbquery to augment Splunk dashboards (not joining the data, but presenting the data in another panel). Some of these dashboards have a lot of dbqueries, and I don't want it affecting "real" Splunk queries.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎01-28-2016 02:01 PM

Any search that runs a dbquery obviously counts as a search and would count against that account's role limits (and overall system limits). Even if its the first command (a "generating command" http://docs.splunk.com/Splexicon:Generatingcommand) like metadata still counts just like any other search.

0 Karma
Reply

a212830
Champion
‎01-28-2016 02:25 PM

Thanks. So... next question. Is there any way to limit the number of queries/ contained in a dashboard? I have people going nuts...

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎01-28-2016 02:39 PM

Oh, now this is a 2fer. 😉

Limit no. BUT one approach I use when there's too many things going on on a dashboard is to use the post processing feature.

This got especially strong in 6.2+.

Check out this page which walks through how to run a common search once, then let the panels inherit from that. So you get one search to pull the raw data, then other searches that represent it in different ways. If a dashboards used to have 8 searches that all looked for the same data, you could reduce that down to 1 that pulls the data (the heavy work) and the rest just manipulate it.
http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Savedsearches#Post-process_searches

0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-28-2016 03:53 PM

I recently attended a Splunk .conf 2015 replay on using lookup tables:

http://conf.splunk.com/session/2015/recordings/2015-splunk-38.mp4

Although it is more geared to really large or long running searches and summarizing the data into a table (at periodic time periods - scheduled searches that create/update lookup tables) it could also be an option for your dashboards. Like @SloshBurch states, if there is common data that you're obtaining from the remote database, possibly pull it at regular intervals that makes sense and store it into a lookup table, then have your dashboards pull from that instead of creating a session into your remote database(s).

Just a thought...

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...