Solved: Why is using base searches causing major performan... - Page 2

klinek · ‎09-01-2016

Working on making dashboards to help report on activity.

To make the dashboards as performant as possible, I'm using base searches.

However, it appears that using base searches throughout a dashboard (1 search, but used in all the panels) almost causes an exponential increase in the size of the search - which causes the search to prematurely terminate.

Doing a straight search for one of the panels got: 98,803 results, and took up 0.29 MB.

Just turning that 1 search into a 1 panel dashboard using a base search got same number of results, but took up 83.66 MB.

Which seems completely ridiculous.
If I trim down results to just the last 2 weeks (instead of the last month), I get around 45,000 results, and the dashboard load only takes up 7MB.

I'm trying to figure out if I'm doing something wrong? Or should I not use base queries at all - as they seem to constantly cause performance issues??

The dashboard:

<form>
  <label>Usage</label>
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" token="tenantid_tok">
      <label>Domain</label>
      <default>All</default>
      <choice value="">All</choice> 
    </input>
    <input type="time" token="date_tok" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-1mon@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <search id="login_checkpoints">
    <query>index=myIndex sourcetype=mySource $tenantid_tok$ NOT CrashReport NOT ErrorReport ("TYPE1" OR "TYPE2")
            | `expand_checkpoints`
            | fields - _raw
            | spath input=checkPoint output=eventName path=EventName
            | where match(eventName,"TYPE1") or match(eventName,"TYPE2") 
            | spath input=checkPoint output=userId path=UserId
            | spath input=checkPoint output=tenantId path=TenantId
            | spath input=checkPoint output=eventTime path=EventTime
            | spath input=checkPoint output=metaData path=MetaData
            | spath input=metaData output=userType path=USER_TYPE
            | spath input=checkPoint output=deviceId path=DeviceId
            | spath input=checkPoint output=deviceModel path=DeviceModel
            | spath input=checkPoint output=deviceOS path=DeviceOS
            | spath input=checkPoint output=appVersion path=Version
            | eval deviceType=if(like(deviceOS,"Android%"),"Android","iOS")
            | eval fullUserName=userId+"@"+tenantId
            | fields - checkPoint
            | fields eventName,userId,tenantId,eventTime,metaData,userType,deviceId,deviceModel,deviceOS,appVersion,deviceType,fullUserName</query>
    <earliest>$date_tok.earliest$</earliest>
    <latest>$date_tok.latest$</latest>
  </search>
  <row>
    <panel>
      <title>Users</title>
      <single>
        <title>Total</title>
        <search base="login_checkpoints">
          <query>chart dc(fullUserName)</query>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="trendInterval">auto</option>
      </single>
    </panel>
    <panel>
      <title>Devices</title>
      <single>
        <title>Total</title>
        <search base="login_checkpoints">
          <query>dedup deviceId
            | chart count(deviceId)</query>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
      </single>
    </panel>
  </row>
</form>

-Thanks!

sundareshr · ‎09-01-2016

All queries are executed on the server (index/search) and only final results are sent to the client. In most cases, the final results is only a small subset of the number of events. However, in your case, since you do not have a tranforming command in your base search, the query returns all the events (there a limit of 500K), increasing the size. Try adding the chart command to your base search and eliminate fields in your subsearch. One way could be

*Base Search*

... | chart dc(deviceId) as device_count dc(fullUserName) user_count

*Sub Search*

| fields user_count

View solution in original post

Why is using base searches causing major performance issues on my dashboard?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!