Dashboards & Visualizations

Has someone figured out how to track down searches to determine which dashboard launched them?

Champion

We're trying to track down high search load and having trouble figuring out how to id which dashboards are causing the high load due to searches. Audit logs provides the query which shows in-line searches with Sid containing "searchX", so 50 searches in a dashboard would launch searches with SID named search1 -> search50. How to trace those back to a dashboard?

Motivator

You can make a guess or possibly even build the final query using the following

Splunks rest api provides both dashboard definition and details of running searches

  1. /data/ui/views - Provides dashboard definitions
  2. /services/search/jobs - Provides details on search jobs.

I would join these 2 to find out which dashboards those queries reside in. Modify this to suit your needs

|rest /servicesNS/-/-/data/ui/views
| rename eai:data as data
| search
   [|rest /services/search/jobs
    | search sid="*search10*"
    | strcat "*" search "*" data
    | table data]

How this works?
The sub search returns searches with "search10" in the sid. This means this was the 10th search that was launched. so if you want the 50th search, you would change it to |search sid="*search50*" . Once this is done, we are adding wild cards to the search that wass run using the strcat command and storing it in the field data. Finally we are returning just data. This would format it like the following data=some search query" OR data=some search query" you can view how a subsearch works here - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

Now, the final query gives you details of those dashboards which have the search query for sid "search10" within them.

This will help you determine what dashboards possibly launched those queries. Hope this gets you close to what you're looking for.

A gotcha here. The /services/search/jobs only provides those searches which are still visible in the Job Manager. So if you are using historical sources (In your case, the audit logs) use them if they have the search definition for the sid available.

Please upvote and mark as answer if this is what you're looking for.

Cheers!

0 Karma