- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Find dashboard which can use base searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to find all the dashboards that can potentially use base search to save computing resources. As you know we can use a base search and populate the panels using that base search. I want to find a way where I can automatically check all the dashboards and see if their panels are using duplicate searches so that I can guide users to implement base searches.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can extract all the search queries from dashboards, clean it up a bit, flatten it, sort it and then quickly review any that look similar. You can also ignore any dashboards that are already using base searches.
Here's how I would do it.
| rest /servicesNS/-/-/data/ui/views | search isDashboard=1 eai:data ="*<query>*"
| rename eai:appName AS app_name eai:data AS dashboard_raw label AS dashboard_name author AS owner
| fields dashboard_raw dashboard_name app_name owner dashboard_path
| dedup dashboard_name app_name
| rex max_match=100 field=dashboard_raw "\<search base=\"(?<base_search_names>[^\"]*)"
| eval base_search_ct=MVCOUNT(base_search_names)
| rex max_match=100 field=dashboard_raw "(?ms)<query\>(?<extracted_spl>.*?)</query>"
| mvexpand extracted_spl
| eval formatted_spl=extracted_spl
| rex field=formatted_spl mode=sed "s/^[\r\n]+//g"
| rex field=formatted_spl mode=sed "s/[\r\n]\s{2,}//g"
| eval formatted_spl=TRIM(formatted_spl)
| eval flattened_spl=formatted_spl
| rex field=flattened_spl mode=sed "s/[\r\n]+/ /g"
| eval flattened_spl=CASE(LEN(flattened_spl)>210, SUBSTR(flattened_spl, 1, 200)." ...+".(LEN(flattened_spl)-200)." chars", 1=1, flattened_spl)
| table dashboard_name app_name owner flattened_spl formatted_spl dashboard_path base_search_names base_search_ct
| sort 0 dashboard_name flattened_spl | fillnull value=0 base_search_ct
| stats count AS query_ct first(base_search_ct) AS base_search_ct values(base_search_names) AS base_search_names list(flattened_spl) AS flattened_spl BY app_name dashboard_name owner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can extract all the search queries from dashboards, clean it up a bit, flatten it, sort it and then quickly review any that look similar. You can also ignore any dashboards that are already using base searches.
Here's how I would do it.
| rest /servicesNS/-/-/data/ui/views | search isDashboard=1 eai:data ="*<query>*"
| rename eai:appName AS app_name eai:data AS dashboard_raw label AS dashboard_name author AS owner
| fields dashboard_raw dashboard_name app_name owner dashboard_path
| dedup dashboard_name app_name
| rex max_match=100 field=dashboard_raw "\<search base=\"(?<base_search_names>[^\"]*)"
| eval base_search_ct=MVCOUNT(base_search_names)
| rex max_match=100 field=dashboard_raw "(?ms)<query\>(?<extracted_spl>.*?)</query>"
| mvexpand extracted_spl
| eval formatted_spl=extracted_spl
| rex field=formatted_spl mode=sed "s/^[\r\n]+//g"
| rex field=formatted_spl mode=sed "s/[\r\n]\s{2,}//g"
| eval formatted_spl=TRIM(formatted_spl)
| eval flattened_spl=formatted_spl
| rex field=flattened_spl mode=sed "s/[\r\n]+/ /g"
| eval flattened_spl=CASE(LEN(flattened_spl)>210, SUBSTR(flattened_spl, 1, 200)." ...+".(LEN(flattened_spl)-200)." chars", 1=1, flattened_spl)
| table dashboard_name app_name owner flattened_spl formatted_spl dashboard_path base_search_names base_search_ct
| sort 0 dashboard_name flattened_spl | fillnull value=0 base_search_ct
| stats count AS query_ct first(base_search_ct) AS base_search_ct values(base_search_names) AS base_search_names list(flattened_spl) AS flattened_spl BY app_name dashboard_name owner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is great.. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no automatic way to do that. You can use
| rest /servicesNS/-/-/data/ui/viewsto get all dashboards, then parse the eai:data field to extract all search queries. Then compare those queries to see which are identical. It's unlikely, however, to find queries that are similar enough to be modified slightly and therefore able to share a common base search.
If this reply helps you, Karma would be appreciated.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
