Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Most common and most expensive searches run by users

shahzadarif
Path Finder
‎07-15-2016 03:39 PM

I need to find out what are the most common searches are run by users on daily basis. Also what are the most expensive searches, I mean which searches are taking the most amount of time to complete.
We've a search heads cluster (version 6.3.3) so I'm guessing the only place to get this information is from the cluster master DMC?

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-17-2016 05:11 AM

I've found this to be a useful app.

https://splunkbase.splunk.com/app/2678/

Amongst other reports, it has a report for Top 100 Most Expensive Searches by Search and User

0 Karma
Reply

shahzadarif
Path Finder
‎07-18-2016 01:23 AM

Sundar thanks for providing the name of the app. I've downloaded it in my staging environment so would play with it. I think this is the sort of app I was looking for.
ddrillic I'll be upgrading to 6.4.2 pretty soon (at least in the staging environment) to utilise the tsidx reduction feature so I'll look at the extra functionality introduced in the DMC.
Thank you both 🙂
Now my next question, is it possible to create create dashboards on search heads which can be accessed by let's say power users? I want these dashboards to show the performance of Splunk.

0 Karma
Reply

sundareshr
Legend
‎07-18-2016 07:29 AM

Sure, you can limit access to this app/dashboards users. Or you can clone these dashboards (look at the search) and put them in a new app with restricted permissions.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-16-2016 06:31 PM

A lot of good work was placed in the DMC - Deployment Management Console of Splunk 6.4.1.

When we realized recently that SoS app charges against the license, Support told us -

-- Indeed, and this is one of the reasons for me to recommend the Distributed Management Console, which leverages built-in instrumentation data that supersedes the information collected by S.o.S scripted inputs to provide visibility on resource usage, search activity and other application vitals.

One of the views is the max searches per app -

alt text

Under this section, one can see the Top 20 Memory-Consuming Searches as you asked for.

Most useful ; -) but you need to be on this 6.4.1 recent version...

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 03:44 PM

There are several apps on splunkbase (apps.splunk.com) to do this kind of thing and more are added all the time. Search around and tell us what you find.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...