Fix saved searches

devinslick · devinslick · commit 81d9cb280b0c · 2025-11-17T19:47:47.000-06:00
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -12,7 +12,7 @@ description = Collects dashboard view metrics from splunkd_access logs
 dispatch.earliest_time = -5m
 dispatch.latest_time = now
 enableSched = 0
-search = index=_internal sourcetype=splunkd_access method=GET uri_path="/*/app/*" status=200 | rex field=uri_path "/[^/]+/app/(?<app>[^/]+)/(?<dashboard_name>[^/?]+)" | where isnotnull(dashboard_name) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, user | eval metric_name="dashboard.views", activity_type="view" | mcollect index=caca_metrics split=t metric_name
+search = index=_internal sourcetype=splunkd_access method=GET uri_path="/*/app/*" status=200 | rex field=uri_path "/[^/]+/app/(?<app>[^/]+)/(?<dashboard_name>[^/?]+)" | where isnotnull(dashboard_name) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, user | eval activity_type="view" | mcollect index=caca_metrics metric_name=dashboard.views pretty_name app user activity_type split=t
 schedule_priority = default
 schedule_window = 5
 dispatchAs = owner
@@ -25,7 +25,7 @@ description = Collects dashboard edit/creation metrics from audit logs
 dispatch.earliest_time = -10m
 dispatch.latest_time = now
 enableSched = 0
-search = index=_audit action=edit_view OR action=create_view object_type=view | rex field=object "(?<app>[^:]+):(?<dashboard_name>.+)" | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, user, action | eval metric_name="dashboard.edits", activity_type=if(action="create_view", "create", "edit") | mcollect index=caca_metrics split=t metric_name
+search = index=_audit action=edit_view OR action=create_view object_type=view | rex field=object "(?<app>[^:]+):(?<dashboard_name>.+)" | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, user, action | eval activity_type=if(action="create_view", "create", "edit") | mcollect index=caca_metrics metric_name=dashboard.edits pretty_name app user activity_type split=t
 schedule_priority = default
 schedule_window = 5
 dispatchAs = owner
@@ -38,7 +38,7 @@ description = Collects dashboard health metrics including errors and performance
 dispatch.earliest_time = -15m
 dispatch.latest_time = now
 enableSched = 0
-search = index=_internal (sourcetype=splunkd log_level=ERROR OR log_level=WARN) (component=ScheduledViewsReporter OR component=DashboardController OR component=SimpleXML) | rex field=_raw "view=(?<dashboard_name>[^\\s,]+)" | rex field=_raw "app=(?<app>[^\\s,]+)" | where isnotnull(dashboard_name) AND isnotnull(app) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, log_level | eval metric_name="dashboard.errors", severity=lower(log_level), activity_type="health" | mcollect index=caca_metrics split=t metric_name
+search = index=_internal (sourcetype=splunkd log_level=ERROR OR log_level=WARN) (component=ScheduledViewsReporter OR component=DashboardController OR component=SimpleXML) | rex field=_raw "view=(?<dashboard_name>[^\\s,]+)" | rex field=_raw "app=(?<app>[^\\s,]+)" | where isnotnull(dashboard_name) AND isnotnull(app) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | stats count by dashboard_uri, pretty_name, app, log_level | eval severity=lower(log_level), activity_type="health" | mcollect index=caca_metrics metric_name=dashboard.errors pretty_name app severity activity_type split=t
 schedule_priority = default
 schedule_window = 5
 dispatchAs = owner
@@ -51,7 +51,7 @@ description = Collects dashboard load time and performance metrics
 dispatch.earliest_time = -10m
 dispatch.latest_time = now
 enableSched = 0
-search = index=_internal sourcetype=splunkd_ui_access uri_path="/*/app/*" | rex field=uri_path "/[^/]+/app/(?<app>[^/]+)/(?<dashboard_name>[^/?]+)" | where isnotnull(dashboard_name) AND isnotnull(spent) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | eval load_time_ms=tonumber(spent) | where isnotnull(load_time_ms) AND load_time_ms > 0 | stats sum(load_time_ms) as total_load_time, count as request_count by dashboard_uri, pretty_name, app, user | eval metric_name="dashboard.load_time", _value=round(total_load_time/request_count, 2), activity_type="performance" | mcollect index=caca_metrics split=t metric_name
+search = index=_internal sourcetype=splunkd_ui_access uri_path="/*/app/*" | rex field=uri_path "/[^/]+/app/(?<app>[^/]+)/(?<dashboard_name>[^/?]+)" | where isnotnull(dashboard_name) AND isnotnull(spent) | eval dashboard_uri="/app/".app."/".dashboard_name | lookup dashboard_registry dashboard_uri OUTPUT pretty_name app as reg_app owner | where isnotnull(pretty_name) | eval load_time_ms=tonumber(spent) | where isnotnull(load_time_ms) AND load_time_ms > 0 | stats sum(load_time_ms) as total_load_time, count as request_count by dashboard_uri, pretty_name, app, user | eval _value=round(total_load_time/request_count, 2), activity_type="performance" | mcollect index=caca_metrics metric_name=dashboard.load_time _value pretty_name app user activity_type split=t
 schedule_priority = default
 schedule_window = 5
 dispatchAs = owner
