All Apps and Add-ons

Compatibility with Splunk 7.3

Contributor

Hi,

Expensive Searches on Dashboards in Bloodhound app shows no results in Splunk 7.3. Do you know about the fix?

It looks like events in _internal index might have changed between 7.3 and 7.2. I am trying but not quite sucessfully in tackling this issues. Looks like when searching for events about searches in dashboards, there is no field "id" that is used as a key field in a lookup.

Tomas

1 Solution

Contributor

I made "Expensive Searches on Dashboards" dashboard work with the following modifications below. In a nutshell I created new saved search to fill a temporary lookup, another saved search to clean lookup after 30 days and modified dashboard to query this lookup instead of raw events.

Updated "expensive_searches" dashboard

| inputlookup inventory_app_view_sid where $app$ $dashboard$
| rename AppName as search_app 
| lookup inventory_jobs sid OUTPUT diskUsage label owner eventCount scanCount runDuration ttl search 
| eval eventscan_ratio=eventCount/scanCount 
| eval diskUsage=diskUsage/1048576 
| fillnull eventscan_ratio value=0 
| stats avg(diskUsage) as diskUsage count as hits dc(label) as dc_searches values(owner) as owner avg(eventscan_ratio) as eventscan_ratio avg(runDuration) as avg_runDuration values(sid) as sid by ViewName search_app 
| sort - avg_runDuration 
| where dc_searches>0 
| head 10 
| lookup inventory_views name AS ViewName app as search_app OUTPUT label AS dlabel 
| lookup inventory_apps name as search_app OUTPUT label as alabel 
| eval dlabel=if(isnull(dlabel),ViewName,dlabel) 
| rename dlabel as "Dashboard Name" alabel as App diskUsage as "Avg Disk Usage MB" dc_searches as "Search Count" owner as User eventscan_ratio as "Avg Event Scan Ratio" avg_runDuration as "Avg Run Duration (sec)" hits as "Dashboard Hits"

Added new saved search "bloodhoundinventorykvstoreappviewsidgen":

| rest /services/search/jobs 
| search provenance="UI:Dashboard:*" 
| rex field=provenance "UI:Dashboard:(?<ViewName>.*)" 
| eval time=searchLatestTime 
| rename eai:acl.* as * 
| rename app as AppName 
| stats count by time sid AppName ViewName 
| fields - count
| outputlookup inventory_app_view_sid

Added new saved bloodhoundinventorykvstoreappviewsidcleanup":

| inputlookup inventory_app_view_sid 
| where time>=relative_time(now(), "-30d@d")
| outputlookup inventory_app_view_sid

View solution in original post

Contributor

I made "Expensive Searches on Dashboards" dashboard work with the following modifications below. In a nutshell I created new saved search to fill a temporary lookup, another saved search to clean lookup after 30 days and modified dashboard to query this lookup instead of raw events.

Updated "expensive_searches" dashboard

| inputlookup inventory_app_view_sid where $app$ $dashboard$
| rename AppName as search_app 
| lookup inventory_jobs sid OUTPUT diskUsage label owner eventCount scanCount runDuration ttl search 
| eval eventscan_ratio=eventCount/scanCount 
| eval diskUsage=diskUsage/1048576 
| fillnull eventscan_ratio value=0 
| stats avg(diskUsage) as diskUsage count as hits dc(label) as dc_searches values(owner) as owner avg(eventscan_ratio) as eventscan_ratio avg(runDuration) as avg_runDuration values(sid) as sid by ViewName search_app 
| sort - avg_runDuration 
| where dc_searches>0 
| head 10 
| lookup inventory_views name AS ViewName app as search_app OUTPUT label AS dlabel 
| lookup inventory_apps name as search_app OUTPUT label as alabel 
| eval dlabel=if(isnull(dlabel),ViewName,dlabel) 
| rename dlabel as "Dashboard Name" alabel as App diskUsage as "Avg Disk Usage MB" dc_searches as "Search Count" owner as User eventscan_ratio as "Avg Event Scan Ratio" avg_runDuration as "Avg Run Duration (sec)" hits as "Dashboard Hits"

Added new saved search "bloodhoundinventorykvstoreappviewsidgen":

| rest /services/search/jobs 
| search provenance="UI:Dashboard:*" 
| rex field=provenance "UI:Dashboard:(?<ViewName>.*)" 
| eval time=searchLatestTime 
| rename eai:acl.* as * 
| rename app as AppName 
| stats count by time sid AppName ViewName 
| fields - count
| outputlookup inventory_app_view_sid

Added new saved bloodhoundinventorykvstoreappviewsidcleanup":

| inputlookup inventory_app_view_sid 
| where time>=relative_time(now(), "-30d@d")
| outputlookup inventory_app_view_sid

View solution in original post

SplunkTrust
SplunkTrust

Hey hey, please accept your own answer if it's working 🙂

0 Karma

Contributor

I cannot. No button to press.

0 Karma

SplunkTrust
SplunkTrust

Try now ^^

0 Karma