I made "Expensive Searches on Dashboards" dashboard work with the following modifications below. In a nutshell I created new saved search to fill a temporary lookup, another saved search to clean lookup after 30 days and modified dashboard to query this lookup instead of raw events.

Updated "expensive_searches" dashboard

| inputlookup inventory_app_view_sid where $app$ $dashboard$
| rename AppName as search_app 
| lookup inventory_jobs sid OUTPUT diskUsage label owner eventCount scanCount runDuration ttl search 
| eval eventscan_ratio=eventCount/scanCount 
| eval diskUsage=diskUsage/1048576 
| fillnull eventscan_ratio value=0 
| stats avg(diskUsage) as diskUsage count as hits dc(label) as dc_searches values(owner) as owner avg(eventscan_ratio) as eventscan_ratio avg(runDuration) as avg_runDuration values(sid) as sid by ViewName search_app 
| sort - avg_runDuration 
| where dc_searches>0 
| head 10 
| lookup inventory_views name AS ViewName app as search_app OUTPUT label AS dlabel 
| lookup inventory_apps name as search_app OUTPUT label as alabel 
| eval dlabel=if(isnull(dlabel),ViewName,dlabel) 
| rename dlabel as "Dashboard Name" alabel as App diskUsage as "Avg Disk Usage MB" dc_searches as "Search Count" owner as User eventscan_ratio as "Avg Event Scan Ratio" avg_runDuration as "Avg Run Duration (sec)" hits as "Dashboard Hits"

Added new saved search "bloodhound_inventory_kvstore_app_view_sid_gen":

| rest /services/search/jobs 
| search provenance="UI:Dashboard:*" 
| rex field=provenance "UI:Dashboard:(?<ViewName>.*)" 
| eval time=searchLatestTime 
| rename eai:acl.* as * 
| rename app as AppName 
| stats count by time sid AppName ViewName 
| fields - count
| outputlookup inventory_app_view_sid

Added new saved bloodhound_inventory_kvstore_app_view_sid_cleanup":

| inputlookup inventory_app_view_sid 
| where time>=relative_time(now(), "-30d@d")
| outputlookup inventory_app_view_sid