Hello everyone,
We have a dashboard that displays the number of transactions for the day, as a single value panel. The search is very simple and easy as each transaction is a separate event in the log:
*index=my_index category=transaction | stats count*
The dashboard refreshes every 5 minutes. Which means that splunk recounts them every 5 minutes to come up with the new count. What happens is that during our busy time of the year, the number of transactions arriving exceed 5 minute refresh time it takes splunk to finish counting them.
What I would love is for splunk to “remember” the last count of transactions (say it was 7,500,000) and start counting from there. That way, the count is accurate, and the splunk processing is not as great (hopefully).
I just don’t know how to do that, or if it can be done. Any ideas?
↧