Splunk dashboard that breaks down what index/sourc...

rickymckenzie10 · ‎12-10-2024

I want to create a Splunk dashboard that breaks down a splunk dashboard:

What app does it belong too.
what index or indexes feed it.
what sourcetype or sourcetypes feed it.
Users accessing it

Any other detail you might find useful, this can be a very powerful tool for anyone, and I see to find bits and pieces of this around the community so it must mean someone either already did it, or is planning to.

Something kinda this

<form version="1.6" theme="dark">
  <label>Custom Dashboard Usage</label>
  <!--
  1.1 Added line view and host info 
  1.2 Added sort
  1.3 Added sort by in dashboard
  1.4 Fixed new forma
  1.5 Fixed dashboard regex by adding space and added Pie chart 
  1.6 Fixed missing user
  -->
  <search id="base_search">
    <query>
      index="_internal"
      "data/ui/views/"
      NOT "servicesNS/-"
      sourcetype=splunkd_ui_access
      | rex "(?&lt;app&gt;[^\/]+)\/data\/ui\/views\/(?&lt;dashboard&gt;[^? ]+)"
      | rex "servicesNS\/(?&lt;user2&gt;[^\/]+)"
      | rex mode=sed field=user2 "s/%40/@/"
      | eval user=if(user="-",user2,user)
      | search
        app=*
        host="$Host$"
        user="$User$"
        app="$App$"
        dashboard="$Dashboard$"
      | fields _time host user app dashboard
    </query>
  </search>
  <fieldset submitButton="false">
    <input type="time">
      <label>Max is 30 days back</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Host">
      <label>Host</label>
      <search base="base_search">
        <query>
          | eval data=host
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="User">
      <label>User</label>
      <search base="base_search">
        <query>
          | eval data=user
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="App">
      <label>Application</label>
      <search base="base_search">
        <query>
          | eval data=app
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="Dashboard">
      <label>Dashboard</label>
      <search base="base_search">
        <query>
          | eval data=dashboard
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="Sort">
      <label>Graph by</label>
      <choice value="dashboard">Dashboard</choice>
      <choice value="app">Application</choice>
      <choice value="user">User</choice>
      <choice value="host">Host</choice>
      <default>dashboard</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Dashboards usage frequency by count</title>
        <search base="base_search">
          <query>
            | timechart limit=25 useother=f count by $Sort$
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option>
        <option name="height">400</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Dashboards usage frequency by percent</title>
        <search base="base_search">
          <query>
            | stats count by $Sort$
          </query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option>
        <option name="height">385</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Dashboards usage frequency by time, sh-server, user &amp; application</title>
        <search base="base_search">
          <query>
            | sort 0 - _time
            | table _time host user app dashboard
          </query>
        </search>
        <option name="count">50</option>
        <format type="color" field="host">
          <colorPalette type="map">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</colorPalette>
        </format>
        <format type="color" field="user">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="app">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="dashboard">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>

PickleRick · ‎12-10-2024

Keep in mind that while points 1 and 4 are relatively easy, there is no 100% reliable way to do 2 and 3. You can account for some typical searches but what if the searches behind a dashboard are defined based on macros? Macros containing macros? Eventtypes? What if they're powered by saved searches? Lookups created with saved searches? Datamodels?

There are so many possible use cases even before I try to explicitly obfuscate the search.

bowesmana · ‎12-10-2024

Take a look at index=_audit sourcetype=audittrail - that logs searches made. Looking at the provenance=UI:dashboard:XX you can see the dashboard searches for each dashboard and along with the sid, you can work out the app and see all the metrics about the search time/results etc.

Splunk dashboard that breaks down what index/sourcetype/source feed a particular dashboard within a Splunk app

index

sourcetype

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation