Splunk Search

Most common and most expensive searches run by users

shahzadarif
Path Finder

I need to find out what are the most common searches are run by users on daily basis. Also what are the most expensive searches, I mean which searches are taking the most amount of time to complete.
We've a search heads cluster (version 6.3.3) so I'm guessing the only place to get this information is from the cluster master DMC?

Tags (1)
0 Karma

sundareshr
Legend

I've found this to be a useful app.

https://splunkbase.splunk.com/app/2678/

Amongst other reports, it has a report for Top 100 Most Expensive Searches by Search and User

0 Karma

shahzadarif
Path Finder

Sundar thanks for providing the name of the app. I've downloaded it in my staging environment so would play with it. I think this is the sort of app I was looking for.
ddrillic I'll be upgrading to 6.4.2 pretty soon (at least in the staging environment) to utilise the tsidx reduction feature so I'll look at the extra functionality introduced in the DMC.
Thank you both 🙂
Now my next question, is it possible to create create dashboards on search heads which can be accessed by let's say power users? I want these dashboards to show the performance of Splunk.

0 Karma

sundareshr
Legend

Sure, you can limit access to this app/dashboards users. Or you can clone these dashboards (look at the search) and put them in a new app with restricted permissions.

0 Karma

ddrillic
Ultra Champion

A lot of good work was placed in the DMC - Deployment Management Console of Splunk 6.4.1.

When we realized recently that SoS app charges against the license, Support told us -

-- Indeed, and this is one of the reasons for me to recommend the Distributed Management Console, which leverages built-in instrumentation data that supersedes the information collected by S.o.S scripted inputs to provide visibility on resource usage, search activity and other application vitals.

One of the views is the max searches per app -

alt text

Under this section, one can see the Top 20 Memory-Consuming Searches as you asked for.

Most useful ; -) but you need to be on this 6.4.1 recent version...

0 Karma

woodcock
Esteemed Legend

There are several apps on splunkbase (apps.splunk.com) to do this kind of thing and more are added all the time. Search around and tell us what you find.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...