Troubleshooting for system performance

If you are experiencing problems with system performance, there are actions that you can take to improve the system’s response times.

Improving Siren Investigate system performance

You can improve performance in the following ways:

  • Exclude fields that contain a lot of data by using source filters.

  • Set the sampling parameter in the Graph Browser.

  • Prevent expensive queries.

You can modify many of these system performance settings in the Data model app, by selecting the Options tab.

You can also modify some performance-related parameters in the Management app, by selecting Advanced Settings.

Making some of the following adjustments can help to improve the performance of the UI.

Client-side compression

If users who are accessing Siren Investigate have a poor internet connection with slow upload speeds, you can enable client-side compression to speed up some large HTTP requests.

Open the config/investigate.yml file and set the compression_enabled parameter to true as follows:

  compression_enabled: true
  compression_threshold: 1024 // This is the size limit of the request body in bytes. If this limit is exceeded, compression is triggered.
  logging_enabled: true

Time settings

  • If time precision is not a high priority in your investigation, you can change the value of the siren:timePrecision parameter in Advanced settings to a value that is greater than its current setting. This improves the Elasticsearch cache hits, because the time is not drifting.

  • You can avoid time drift, by using absolute time rather than relative time.

    1. Open your dashboard in Edit mode and select the clock icon in the top-right of the screen.

    2. In the Time Range panel, select Absolute

    3. Click Apply to all dashboards and Save.

  • If you have dashboards with large time-based indices, save them with the time range set to the shortest feasible time. By doing so, you can avoid sending queries that will have to aggregate on all historical data when the user opens the dashboard for the first time.

    1. Go to the Management app and select Advanced Settings.

    2. Search for the timepicker:timeDefaults parameter.

    3. Click Edit and modify the value as required.

    4. Click Save.

  • If you are using histogram visualizations, ensure that the time range is not too small. For example, do not configure a time range in minutes if you are displaying a histogram that spans many years of data.

Setting query limitations

You set query limitations in the Options tab of the Data model app.

  • If you have dashboards that are based on large indices, set limits to prevent generating queries that might slow down your system. There are three limits that you can set on an entity table:

    • The maximum time range.

    • The maximum number of documents on a dashboard when no joins are involved.

    • The maximum number of documents on a dashboard when a join is involved.

  • When you are configuring an entity table, you can set source filters to exclude the fields that you do not want to fetch. For example, exclude fields that contain binary data or long strings that would make the responses too large.

  • If your installation contains multiple dashboards, organize them into groups. Groups can be collapsed, which reduces the number of count queries.

Improving the speed of queries

You can increase the speed of queries that Siren Investigate sends to Elasticsearch through Siren Federate by using the count fetching strategy parameters.

Configure the count fetching strategy on relational filters and dashboards to improve performance when handling large parallel requests.

  1. Go to Management → Advanced Settings.

  2. Search for the siren:countFetchingStrategyRelationalFilters parameter.

  3. Click Edit.

  4. In the Value field, specify the number of parallel requests to handle. For example, enter the following values:

    { "name": "default", "batchSize": 2, "retryOnError": 1, "parallelRequests": 1 }
  5. Click Save.

  6. Search for the siren:countFetchingStrategyDashboards parameter.

  7. In the Value field, specify the number of parallel requests to handle. For example, enter the following values:

    { "name": "default", "batchSize": 2, "retryOnError": 1, "parallelRequests": 1 }
  8. Click Save.

Graph Browser settings

In the Graph Browser, you can set a graph expansion limit, which controls how many records can be imported into a graph from a dashboard. This is called sampling.

For more information, see Sampling data in the graph.

Automation settings

If the automatic count on relational buttons is taking a long time to display, you can disable this feature. If you do this, users will have to press a button to see the count.

In Advanced Settings, set the siren:enableAllRelBtnCounts parameter to false by deselecting the checkbox.

Improving Siren Federate system performance

The following tips can help you to improve the performance of the Siren Federate back-end system:

  • Use the smallest feasible number of shards per index. For more information, see Tune for indexing speed in the Elasticsearch documentation.

  • Optimize your search speed. For more information, see Tune for search speed in the Elasticsearch documentation.

  • Make the recommended configurations in the Siren Federate plug-in. For more information, see the Performance considerations section of the Siren Federate user guide.