Add app filtering capability for selective monitoring

Co-authored-by: devinslick <[email protected]>

Author: Copilot

README.md

@@ -212,6 +212,8 @@ Replace `YOUR_DASHBOARD_NAME` with your dashboard's pretty name from the registr
 
 CACA provides several search macros for easy querying. These macros help you quickly identify dashboards with issues, analyze performance, and understand usage patterns.
 
+**Note:** All macros respect the app filter configuration (see "Filtering Apps for Monitoring" in Configuration section). All results include the `app` field showing which app each dashboard belongs to, making it easy to filter or group results by application.
+
 #### Finding Dashboards with Issues
 
 ##### Identify dashboards with health issues (errors/warnings):
@@ -293,6 +295,20 @@ CACA provides several search macros for easy querying. These macros help you qui
 | where health_status="critical" OR (errors_7d > 50) OR (avg_load_time_7d > 10000)
 ```
 
+**Filter results by specific app:**
+```spl
+`get_dashboards_with_errors`
+| where app="search"
+| table pretty_name app errors warnings health_status
+```
+
+**List dashboards with errors across multiple apps:**
+```spl
+`get_dashboards_with_errors`
+| where app IN ("my_app1", "my_app2", "production_app")
+| sort -errors
+```
+
 **List dashboards with errors that are actively used:**
 ```spl
 `get_dashboards_with_errors`
@@ -339,9 +355,70 @@ Edit `default/indexes.conf` to adjust retention:
 frozenTimePeriodInSecs = 31536000  # 1 year (default)
 ```
 
-### Excluding Dashboards from Monitoring
+### Filtering Apps for Monitoring
+
+CACA can be configured to only monitor dashboards from specific apps, or exclude certain apps from monitoring. This is useful when you only want to track dashboards in production apps, or exclude system/admin apps.
+
+#### Configuration Method
+
+Edit `lookups/app_filter.csv` to control which apps are monitored:
+
+**Include specific apps only:**
+```csv
+app,include
+search,true
+my_production_app,true
+another_app,true
+```
+
+**Exclude specific apps:**
+```csv
+app,include
+splunk_monitoring_console,false
+learned,false
+introspection_generator_addon,false
+```
+
+**How it works:**
+- If an app is **not listed** in app_filter.csv, it **will be monitored** (default behavior)
+- If an app is listed with `include=true` (or `1` or `yes`), it **will be monitored**
+- If an app is listed with `include=false` (or `0` or `no`), it **will NOT be monitored**
+- The filter applies to:
+  - Dashboard registry updates (which dashboards are discovered)
+  - All metrics collection (views, edits, errors, performance)
+  - All search macros and dashboard queries
+
+#### Examples
+
+**Monitor only specific production apps:**
+```csv
+app,include
+production_app1,true
+production_app2,true
+production_app3,true
+```
+Then add a wildcard exclusion entry to exclude everything else (optional):
+```csv
+app,include
+production_app1,true
+production_app2,true
+*,false
+```
+
+**Exclude system and admin apps:**
+```csv
+app,include
+splunk_monitoring_console,false
+learned,false
+introspection_generator_addon,false
+splunk_instrumentation,false
+```
+
+**Note:** After updating `app_filter.csv`, run the "Dashboard Registry - Auto Update" search to rebuild the dashboard registry with the new filter applied.
+
+### Excluding Individual Dashboards from Monitoring
 
-Edit `lookups/dashboard_registry.csv` and set `status=inactive` for dashboards you want to exclude from collection.
+Edit `lookups/dashboard_registry.csv` and set `status=inactive` for specific dashboards you want to exclude from collection (this is independent of app filtering).
 
 ## Troubleshooting
 

default/macros.conf

@@ -123,3 +123,9 @@ definition = `get_all_dashboards_summary` \
 | table pretty_name app views_7d errors_7d avg_load_time_7d health_status issue_type \
 | sort -errors_7d -avg_load_time_7d
 iseval = 0
+
+[filter_by_app]
+definition = lookup app_filter app OUTPUT include \
+| where isnull(include) OR include="true" OR include="1" OR include="yes" \
+| fields - include
+iseval = 0

default/savedsearches.conf

@@ -101,7 +101,7 @@ schedule_window = 5
 action.email.useNSSubject = 1
 alert.track = 0
 cron_schedule = 0 2 * * *
-description = Automatically updates dashboard registry via REST API
+description = Automatically updates dashboard registry via REST API, respecting app filter configuration
 dispatch.earliest_time = -5m
 dispatch.latest_time = now
 enableSched = 0
@@ -113,6 +113,9 @@ search = | rest /services/data/ui/views splunk_server=local count=0 \
 | eval owner=eai:acl.owner \
 | eval description=coalesce(eai:data, "") \
 | eval status="active" \
+| lookup app_filter app OUTPUT include \
+| where isnull(include) OR include="true" OR include="1" OR include="yes" \
+| fields - include \
 | table dashboard_uri pretty_name app owner description status \
 | outputlookup dashboard_registry.csv
 schedule_priority = low

default/transforms.conf

@@ -3,3 +3,7 @@
 [dashboard_registry]
 filename = dashboard_registry.csv
 case_sensitive_match = false
+
+[app_filter]
+filename = app_filter.csv
+case_sensitive_match = false

lookups/APP_FILTER_README.md

@@ -0,0 +1,60 @@
+# App Filter Configuration
+
+This file controls which Splunk apps are monitored by CACA (Content Activity Checking Application).
+
+## How It Works
+
+- If an app is **not listed** in this file, it **WILL be monitored** (default behavior)
+- If an app is listed with `include=true` (or `1` or `yes`), it **WILL be monitored**
+- If an app is listed with `include=false` (or `0` or `no`), it **WILL NOT be monitored**
+
+## Examples
+
+### Include Only Specific Apps
+
+To monitor ONLY certain apps, list them with include=true:
+
+```csv
+app,include
+search,true
+my_production_app,true
+another_app,true
+```
+
+### Exclude Specific Apps
+
+To exclude certain apps from monitoring (monitor everything else):
+
+```csv
+app,include
+splunk_monitoring_console,false
+learned,false
+introspection_generator_addon,false
+splunk_instrumentation,false
+```
+
+### Mixed Configuration
+
+You can combine inclusions and exclusions:
+
+```csv
+app,include
+production_app1,true
+production_app2,true
+test_app,false
+dev_app,false
+```
+
+## After Changing This File
+
+After updating app_filter.csv:
+
+1. **Rebuild the dashboard registry** by running the "Dashboard Registry - Auto Update" search manually, or wait for it to run at 2 AM
+2. The filter will automatically apply to all new metrics collection
+3. Existing metrics for excluded apps will remain in the index but won't be updated
+
+## Default Behavior
+
+By default (empty file), ALL apps are monitored. Add entries to this file only if you want to:
+- Monitor only specific apps (whitelist approach)
+- Exclude specific apps (blacklist approach)

lookups/app_filter.csv

@@ -0,0 +1 @@
+app,include