Assess your search workload with this simple dashboard. Here's a very quick dashboard to identify what uses your splunk platform computational power, so you can focus your optimisation efforts.
Once you know you have a handful of badly written correlation searches or some heavy scheduled searches that run too often, it's easy to fix the problem.
This dashboard makes the distinction between several types of searches, including dashboard searches. If you have a dashboard that is typically used by several users through the day, that is set to auto refresh, and that is not built with base searches and/or to share the same results with loadjob, it could seriously eat at your resources. This report will show you exactly how much.
You can dill down to see individual runs of any search and see which user ran it, what the SPL was and, if applicable which dashboard it came from. This is making full use of the "provenance" field in your _audit logs.
TODO: You should edit the source and replace the * in host=* by a pattern that narrows down your search heads.
Here's the source:
Comments