Splunk Search

Most common and most expensive searches run by users

shahzadarif
Path Finder

I need to find out what are the most common searches are run by users on daily basis. Also what are the most expensive searches, I mean which searches are taking the most amount of time to complete.
We've a search heads cluster (version 6.3.3) so I'm guessing the only place to get this information is from the cluster master DMC?

Tags (1)
0 Karma

sundareshr
Legend

I've found this to be a useful app.

https://splunkbase.splunk.com/app/2678/

Amongst other reports, it has a report for Top 100 Most Expensive Searches by Search and User

0 Karma

shahzadarif
Path Finder

Sundar thanks for providing the name of the app. I've downloaded it in my staging environment so would play with it. I think this is the sort of app I was looking for.
ddrillic I'll be upgrading to 6.4.2 pretty soon (at least in the staging environment) to utilise the tsidx reduction feature so I'll look at the extra functionality introduced in the DMC.
Thank you both 🙂
Now my next question, is it possible to create create dashboards on search heads which can be accessed by let's say power users? I want these dashboards to show the performance of Splunk.

0 Karma

sundareshr
Legend

Sure, you can limit access to this app/dashboards users. Or you can clone these dashboards (look at the search) and put them in a new app with restricted permissions.

0 Karma

ddrillic
Ultra Champion

A lot of good work was placed in the DMC - Deployment Management Console of Splunk 6.4.1.

When we realized recently that SoS app charges against the license, Support told us -

-- Indeed, and this is one of the reasons for me to recommend the Distributed Management Console, which leverages built-in instrumentation data that supersedes the information collected by S.o.S scripted inputs to provide visibility on resource usage, search activity and other application vitals.

One of the views is the max searches per app -

alt text

Under this section, one can see the Top 20 Memory-Consuming Searches as you asked for.

Most useful ; -) but you need to be on this 6.4.1 recent version...

0 Karma

woodcock
Esteemed Legend

There are several apps on splunkbase (apps.splunk.com) to do this kind of thing and more are added all the time. Search around and tell us what you find.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...