|
We index data from about 2000 different hosts. logs are relayed in via a TCP syslog source. Whenever a user goes to the search application, it takes a good 20+ seconds to load all the summary dada, such as Events Indexed" and all of the counts for each source & host. Is there any way to edit this page or speed up this search or used cached results on a 5 minute schedule or something like that? The lag really gives an impression of system slowness on this very first page. :-/ |
|
I had the same problem. My solution was to remove the searches from the summary page, which was a big improvement. |
|
The searches run from the summary page are metadata searches. These should run very quickly. The comparable search queries would be:
Each of the above searches should only take a few seconds to return. It is possible that you have a performance problem that is causing these searches to run slowly. In that case, I recommend you contact support to help debug the problem. If you are in a distributed search environment, it is possible that the remote peers are taking a while to return data. Splunk will wait to compile all of the results from each indexer before painting the page. |
