Dashboards & Visualizations

Find dashboard which can use base searches

InderSingh1
Explorer

Hi,

I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to find a way where I can automatically check all the dashboards and see if their panels are using duplicate searches so that I can guide users to implement base searches. 

Thanks in advance!

 

Labels (2)
Tags (1)
0 Karma
1 Solution

johnhuang
Motivator

You can extract all the search queries from dashboards, clean it up a bit, flatten it, sort it and then quickly review any that look similar. You can also ignore any dashboards that are already using base searches.

Here's how I would do it.

| rest /servicesNS/-/-/data/ui/views | search isDashboard=1 eai:data ="*<query>*"
| rename eai:appName AS app_name eai:data AS dashboard_raw label AS dashboard_name author AS owner
| fields dashboard_raw dashboard_name app_name owner dashboard_path
| dedup dashboard_name app_name
| rex max_match=100 field=dashboard_raw "\<search base=\"(?<base_search_names>[^\"]*)"
| eval base_search_ct=MVCOUNT(base_search_names)
| rex max_match=100 field=dashboard_raw "(?ms)<query\>(?<extracted_spl>.*?)</query>"
| mvexpand extracted_spl
| eval formatted_spl=extracted_spl 
| rex field=formatted_spl mode=sed "s/^[\r\n]+//g"
| rex field=formatted_spl mode=sed "s/[\r\n]\s{2,}//g"
| eval formatted_spl=TRIM(formatted_spl)
| eval flattened_spl=formatted_spl
| rex field=flattened_spl mode=sed "s/[\r\n]+/ /g"
| eval flattened_spl=CASE(LEN(flattened_spl)>210, SUBSTR(flattened_spl, 1, 200)." ...+".(LEN(flattened_spl)-200)." chars", 1=1, flattened_spl)
| table dashboard_name app_name owner flattened_spl formatted_spl dashboard_path base_search_names base_search_ct
| sort 0 dashboard_name flattened_spl | fillnull value=0 base_search_ct
| stats count AS query_ct first(base_search_ct) AS base_search_ct values(base_search_names) AS base_search_names list(flattened_spl) AS flattened_spl BY app_name dashboard_name owner

  

View solution in original post

johnhuang
Motivator

You can extract all the search queries from dashboards, clean it up a bit, flatten it, sort it and then quickly review any that look similar. You can also ignore any dashboards that are already using base searches.

Here's how I would do it.

| rest /servicesNS/-/-/data/ui/views | search isDashboard=1 eai:data ="*<query>*"
| rename eai:appName AS app_name eai:data AS dashboard_raw label AS dashboard_name author AS owner
| fields dashboard_raw dashboard_name app_name owner dashboard_path
| dedup dashboard_name app_name
| rex max_match=100 field=dashboard_raw "\<search base=\"(?<base_search_names>[^\"]*)"
| eval base_search_ct=MVCOUNT(base_search_names)
| rex max_match=100 field=dashboard_raw "(?ms)<query\>(?<extracted_spl>.*?)</query>"
| mvexpand extracted_spl
| eval formatted_spl=extracted_spl 
| rex field=formatted_spl mode=sed "s/^[\r\n]+//g"
| rex field=formatted_spl mode=sed "s/[\r\n]\s{2,}//g"
| eval formatted_spl=TRIM(formatted_spl)
| eval flattened_spl=formatted_spl
| rex field=flattened_spl mode=sed "s/[\r\n]+/ /g"
| eval flattened_spl=CASE(LEN(flattened_spl)>210, SUBSTR(flattened_spl, 1, 200)." ...+".(LEN(flattened_spl)-200)." chars", 1=1, flattened_spl)
| table dashboard_name app_name owner flattened_spl formatted_spl dashboard_path base_search_names base_search_ct
| sort 0 dashboard_name flattened_spl | fillnull value=0 base_search_ct
| stats count AS query_ct first(base_search_ct) AS base_search_ct values(base_search_names) AS base_search_names list(flattened_spl) AS flattened_spl BY app_name dashboard_name owner

  

InderSingh1
Explorer

This is great.. Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no automatic way to do that.  You can use 

| rest /servicesNS/-/-/data/ui/views

to get all dashboards, then parse the eai:data field to extract all search queries.  Then compare those queries to see which are identical.  It's unlikely, however, to find queries that are similar enough to be modified slightly and therefore able to share a common base search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...