Splunk Search

Splunk DB Connect 1: Do Splunk dbquery jobs count against search limits?

a212830
Champion

Hi,

I have customers using dbquery to augment Splunk dashboards (not joining the data, but presenting the data in another panel). Some of these dashboards have a lot of dbqueries, and I don't want it affecting "real" Splunk queries.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Any search that runs a dbquery obviously counts as a search and would count against that account's role limits (and overall system limits). Even if its the first command (a "generating command" http://docs.splunk.com/Splexicon:Generatingcommand) like metadata still counts just like any other search.

0 Karma

a212830
Champion

Thanks. So... next question. Is there any way to limit the number of queries/ contained in a dashboard? I have people going nuts...

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Oh, now this is a 2fer. 😉

Limit no. BUT one approach I use when there's too many things going on on a dashboard is to use the post processing feature.

This got especially strong in 6.2+.

Check out this page which walks through how to run a common search once, then let the panels inherit from that. So you get one search to pull the raw data, then other searches that represent it in different ways. If a dashboards used to have 8 searches that all looked for the same data, you could reduce that down to 1 that pulls the data (the heavy work) and the rest just manipulate it.
http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Savedsearches#Post-process_searches

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

I recently attended a Splunk .conf 2015 replay on using lookup tables:

http://conf.splunk.com/session/2015/recordings/2015-splunk-38.mp4

Although it is more geared to really large or long running searches and summarizing the data into a table (at periodic time periods - scheduled searches that create/update lookup tables) it could also be an option for your dashboards. Like @SloshBurch states, if there is common data that you're obtaining from the remote database, possibly pull it at regular intervals that makes sense and store it into a lookup table, then have your dashboards pull from that instead of creating a session into your remote database(s).

Just a thought...

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...