Created
October 31, 2016 20:14
-
-
Save chuckg/c924ce9e6583da4d29b91a1a59cb0537 to your computer and use it in GitHub Desktop.
A dashboard for looking at the density of searches by keyword in your Splunk Cluster. Currently relies on the Search Activity app and the indexes it creates for some of the statistic generation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form> | |
| <label>Search Density</label> | |
| <fieldset submitButton="true" autoRun="false"> | |
| <input type="time" token="datetime" searchWhenChanged="false"> | |
| <label></label> | |
| <default> | |
| <earliest>-60m@m</earliest> | |
| <latest>now</latest> | |
| </default> | |
| </input> | |
| <input type="text" token="keyword" searchWhenChanged="false"> | |
| <label>Search Keyword</label> | |
| <default>ranger</default> | |
| <initialValue>ranger</initialValue> | |
| <prefix>*</prefix> | |
| <suffix>*</suffix> | |
| </input> | |
| <input type="dropdown" token="keywordOperator"> | |
| <label>Keyword Operator</label> | |
| <choice value="=">Equals (=)</choice> | |
| <choice value="!=">Not Equals (!=)</choice> | |
| <default>=</default> | |
| <initialValue>=</initialValue> | |
| </input> | |
| </fieldset> | |
| <search id="buckets"> | |
| <query>`auditindex` `auditsourcetype` info=failed OR info=completed OR info=canceled "total_run_time" total_run_time>=0 searchid!=SummaryDirector* searched_buckets>0 | |
| | eval buckets_scanned=searched_buckets | |
| | bucket buckets_scanned span=log10 | |
| | stats count, sum(searched_buckets) as total_searched_buckets, sum(eliminated_buckets) as total_eliminated_buckets by buckets_scanned | |
| | eval total_percent_eliminated_buckets=round((total_eliminated_buckets/total_searched_buckets)*100, 2)</query> | |
| <earliest>$datetime.earliest$</earliest> | |
| <latest>$datetime.latest$</latest> | |
| </search> | |
| <row> | |
| <panel> | |
| <title>Search with keyword</title> | |
| <single> | |
| <search> | |
| <query>| stats count | eval search="actualsearch$keywordOperator$\"$keyword$\"" | table search</query> | |
| <earliest>$datetime.earliest$</earliest> | |
| <latest>$datetime.latest$</latest> | |
| </search> | |
| <option name="drilldown">none</option> | |
| <option name="colorBy">value</option> | |
| <option name="colorMode">none</option> | |
| <option name="numberPrecision">0</option> | |
| <option name="showSparkline">1</option> | |
| <option name="showTrendIndicator">1</option> | |
| <option name="trendColorInterpretation">standard</option> | |
| <option name="trendDisplayMode">absolute</option> | |
| <option name="unitPosition">after</option> | |
| <option name="useColors">0</option> | |
| <option name="useThousandSeparators">1</option> | |
| <option name="linkView">search</option> | |
| <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option> | |
| <option name="rangeValues">[0,30,70,100]</option> | |
| </single> | |
| </panel> | |
| <panel> | |
| <title>Description of search density</title> | |
| <html> | |
| <p> | |
| The chart below shows density of events matched over events scanned for | |
| searches matching the value of <em>"Search Keywords"</em>. More on | |
| this can be found in the <a href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Capacity/HowsearchtypesaffectSplunkEnterpriseperformance">Splunk Documentation</a>. | |
| </p> | |
| <h3>Caveats</h3> | |
| <ul> | |
| <li>Only considers searches with >0 scanned events</li> | |
| <li>Density is represented as a percent value of events matched over events scanned for a search. The column <em>percent</em> reflects this value.</li> | |
| <li>All "SummaryDirector" searches run by the splunk-system-user have been removed from the list to exclude summarization reports made by the Splunk system itself.</li> | |
| </ul> | |
| </html> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>Search density for keyword</title> | |
| <chart> | |
| <search> | |
| <query>| tstats local=t values(total_run_time) as total_run_time values(result_count) as result_count values(scan_count) as scan_count values(event_count) as event_count values(ShouldInvestigate) as ShouldInvestigate from `SA_SearchHistory` where * actualsearch$keywordOperator$"$keyword$" WasShared=yes OR wasshared=no total_run_time>=0 result_count>=0 scan_count>0 searchtype=adhoc* OR searchtype=summarization* OR searchtype=scheduled* OR searchtype=realtime* OR searchtype=dashboard* searchcommands=* SearchHead=* user=* searchid!=SummaryDirector* * groupby searchid | eval percent=(event_count / scan_count * 100) | eval density=case(percent>10, "Dense (>10%)", percent<10 AND percent>1, "Medium (1-10%)", percent<1 AND percent>0.1, "Sparse (0.1-1%)", percent<0.1 AND percent>0, "Rare (<0.1%)", 0==0, ">1 scan, no events") | stats count by density</query> | |
| <earliest>$datetime.earliest$</earliest> | |
| <latest>$datetime.latest$</latest> | |
| </search> | |
| <option name="charting.chart">pie</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> | |
| <option name="charting.axisTitleX.visibility">visible</option> | |
| <option name="charting.axisTitleY.visibility">visible</option> | |
| <option name="charting.axisTitleY2.visibility">visible</option> | |
| <option name="charting.axisX.scale">linear</option> | |
| <option name="charting.axisY.scale">linear</option> | |
| <option name="charting.axisY2.enabled">0</option> | |
| <option name="charting.axisY2.scale">inherit</option> | |
| <option name="charting.chart.bubbleMaximumSize">50</option> | |
| <option name="charting.chart.bubbleMinimumSize">10</option> | |
| <option name="charting.chart.bubbleSizeBy">area</option> | |
| <option name="charting.chart.nullValueMode">gaps</option> | |
| <option name="charting.chart.showDataLabels">none</option> | |
| <option name="charting.chart.sliceCollapsingThreshold">0.01</option> | |
| <option name="charting.chart.stackMode">default</option> | |
| <option name="charting.chart.style">shiny</option> | |
| <option name="charting.drilldown">none</option> | |
| <option name="charting.layout.splitSeries">0</option> | |
| <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> | |
| <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> | |
| <option name="charting.legend.placement">right</option> | |
| </chart> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>Searches >60s with <0.1% events/scanned for keyword</title> | |
| <table> | |
| <search> | |
| <query>| tstats local=t values(user) as user values(actualsearch) as search values(total_run_time) as total_run_time values(result_count) as result_count values(scan_count) as scan_count values(event_count) as event_count from `SA_SearchHistory` where * actualsearch$keywordOperator$"$keyword$" WasShared=yes OR wasshared=no total_run_time>=0 result_count>=0 scan_count>0 total_run_time>60 searchtype=adhoc* OR searchtype=summarization* OR searchtype=scheduled* OR searchtype=realtime* OR searchtype=dashboard* searchcommands=* SearchHead=* user=* searchid!=SummaryDirector* * groupby searchid | eval percent=(event_count / scan_count * 100) | where percent<0.1 | eval density=case(percent>10, "Dense (>10%)", percent<10 AND percent>1, "Medium (1-10%)", percent<1 AND percent>0.1, "Sparse (0.1-1%)", percent<0.1 AND percent>0, "Rare (<0.1%)", 0==0, ">1 scan, no events") | sort percent - scan_count | table searchid, search, user, *</query> | |
| <earliest>$datetime.earliest$</earliest> | |
| <latest>$datetime.latest$</latest> | |
| </search> | |
| <option name="wrap">true</option> | |
| <option name="rowNumbers">true</option> | |
| <option name="drilldown">none</option> | |
| <option name="dataOverlayMode">none</option> | |
| <option name="count">10</option> | |
| </table> | |
| </panel> | |
| </row> | |
| <row> | |
| <panel> | |
| <title>Buckets Scanned for all searches</title> | |
| <chart> | |
| <search base="buckets"> | |
| <query>| table *</query> | |
| </search> | |
| <option name="charting.chart">pie</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> | |
| <option name="charting.axisTitleX.visibility">visible</option> | |
| <option name="charting.axisTitleY.visibility">visible</option> | |
| <option name="charting.axisTitleY2.visibility">visible</option> | |
| <option name="charting.axisX.scale">linear</option> | |
| <option name="charting.axisY.scale">linear</option> | |
| <option name="charting.axisY2.enabled">0</option> | |
| <option name="charting.axisY2.scale">inherit</option> | |
| <option name="charting.chart.bubbleMaximumSize">50</option> | |
| <option name="charting.chart.bubbleMinimumSize">10</option> | |
| <option name="charting.chart.bubbleSizeBy">area</option> | |
| <option name="charting.chart.nullValueMode">gaps</option> | |
| <option name="charting.chart.showDataLabels">none</option> | |
| <option name="charting.chart.sliceCollapsingThreshold">0.01</option> | |
| <option name="charting.chart.stackMode">default</option> | |
| <option name="charting.chart.style">shiny</option> | |
| <option name="charting.drilldown">all</option> | |
| <option name="charting.layout.splitSeries">0</option> | |
| <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> | |
| <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> | |
| <option name="charting.legend.placement">right</option> | |
| <option name="wrap">true</option> | |
| <option name="rowNumbers">false</option> | |
| <option name="dataOverlayMode">none</option> | |
| </chart> | |
| </panel> | |
| <panel> | |
| <title>Buckets Scanned for all searches (stats table)</title> | |
| <table> | |
| <search base="buckets"> | |
| <query>| table buckets_scanned, count, total_searched*, total_eliminated, total_percent*</query> | |
| </search> | |
| <option name="charting.chart">pie</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> | |
| <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> | |
| <option name="charting.axisTitleX.visibility">visible</option> | |
| <option name="charting.axisTitleY.visibility">visible</option> | |
| <option name="charting.axisTitleY2.visibility">visible</option> | |
| <option name="charting.axisX.scale">linear</option> | |
| <option name="charting.axisY.scale">linear</option> | |
| <option name="charting.axisY2.enabled">0</option> | |
| <option name="charting.axisY2.scale">inherit</option> | |
| <option name="charting.chart.bubbleMaximumSize">50</option> | |
| <option name="charting.chart.bubbleMinimumSize">10</option> | |
| <option name="charting.chart.bubbleSizeBy">area</option> | |
| <option name="charting.chart.nullValueMode">gaps</option> | |
| <option name="charting.chart.showDataLabels">none</option> | |
| <option name="charting.chart.sliceCollapsingThreshold">0.01</option> | |
| <option name="charting.chart.stackMode">default</option> | |
| <option name="charting.chart.style">shiny</option> | |
| <option name="charting.drilldown">all</option> | |
| <option name="charting.layout.splitSeries">0</option> | |
| <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> | |
| <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> | |
| <option name="charting.legend.placement">right</option> | |
| <option name="wrap">true</option> | |
| <option name="rowNumbers">false</option> | |
| <option name="dataOverlayMode">none</option> | |
| <option name="drilldown">cell</option> | |
| <option name="count">10</option> | |
| </table> | |
| </panel> | |
| </row> | |
| </form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment