So here is the situation That I am in. At any particular time we are only working on one set of data. This data gets purged every month and we start over from scratch with new data. I want to create a dashboard that gives overall information over this data. the problem that i am having is the dashboard keeps restarting the search everytime it is opened. This means as we ingest more data and navigate back to the dashboard instead of adding the results to the dashboard it starts over and re-performs the search on the old and new data. With the amount of data we collect it would take several days for the report to finish and then if you refresh the page or get disconnect it has to start over.
I would like a dashboard that as data is ingested it continuously updates itself. Once we have ingested the full data set and the dashboard has finished, any user should be able to go to the dashboard and see the most current information. Since several of us will navigate to the dashboard there is no need for it to start a new job everytime just have one completed job.
Example: Splunk is empty, brand new. we start capturing pcap data and splunk is ingesting it over a 1 week period. during that one week period i create a dashboard looking for a count of how many packets are going to port 22. as we ingest data, day to day, i can navigate to the dashboard and see our current count of packets going to port 22. then by the end of the week when i navigate back i see the overall count. (how can this be done without the dashboard restarting the search every time i go to it?)
... View more