Big Data Brought Down The Hammer On Me... Thoughts...

GiantSpaceRobot · ‎10-02-2020

I am mostly new to Splunk but certainly the most well-versed member on my team. I was recently reprimanded by my company's Big Data leadership for "abusing the system" by running "25 queries with index=*" and that I should know what indexes I am working within...

Here's the deal.. I never ran 25 queries with index=*... at most my team has four total indexes so there wouldn't be much of a reason.

My question is this - since I created a dashboard for my team - is it possible someone else ran the queries through my dashboard (say by inspecting a panel) and it registered to my user account?

I currently have my group set to read-only permissions. Thoughts?

burwell · ‎10-02-2020

Hi. So how many panels are in each dashboard? Each one counts as a search.

GiantSpaceRobot · ‎10-02-2020

About 20 panels in the single dashboard. Would that be considered excessive?

But I did check all of the queries used for each panel and none of them are "index=*" they all have a specific index value.

Big Data Brought Down The Hammer On Me... Thoughts?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7