Updates

Author: gjanders

README.md

@@ -360,6 +360,8 @@ Feel free to open an issue on github or use the contact author on the SplunkBase
 
 ## Release Notes
 ### 4.0.5
+New reports:
+- `SearchHeadLevel - indexes per dashboard`
 
 ### 4.0.4
 New reports:

default/data/ui/nav/default.xml

@@ -300,6 +300,7 @@
 			<saved name="SearchHeadLevel - Lookup Editor lookup updates" />
 			<saved name="SearchHeadLevel - Datamodel access summary" />
 			<saved name="SearchHeadLevel - indexes per savedsearch" />
+                        <saved name="SearchHeadLevel - indexes per dashboard" />
 			<saved name="SearchHeadLevel - macros in use" />
 			<saved name="SearchHeadLevel - Search Queries Per Day Audit Logs" />
                         <saved name="SearchHeadLevel - Search Queries By Type Audit Logs" />         
@@ -461,6 +462,7 @@
 			<saved name="SearchHeadLevel - Lookup updates within SHC" />
 			<saved name="SearchHeadLevel - Lookup definitions with no lookup file or kvstore collection" />
 			<saved name="SearchHeadLevel - indexes per savedsearch" />
+                        <saved name="SearchHeadLevel - indexes per dashboard" />
 			<saved name="SearchHeadLevel - macros in use" />
                         <saved name="SearchHeadLevel - SHC conf log summary" />
 			<saved name="SearchHeadLevel - Searches dispatched as owner by other users" />
@@ -505,6 +507,7 @@
 			<saved name="SearchHeadLevel - access logs kvstore usage" />
 			<saved name="SearchHeadLevel - license usage per sourcetype per index" />
 			<saved name="SearchHeadLevel - indexes per savedsearch" />
+                        <saved name="SearchHeadLevel - indexes per dashboard" />
 			<saved name="SearchHeadLevel - macros in use" />
         		<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />
 	                <saved name="SearchHeadLevel - platform_stats.audit metrics users" />
@@ -562,6 +565,7 @@
 		<saved name="SearchHeadLevel - Lookup Watcher Recent Modification Summary" />
 		<saved name="SearchHeadLevel - license usage per sourcetype per index" />
 		<saved name="SearchHeadLevel - indexes per savedsearch" />
+                <saved name="SearchHeadLevel - indexes per dashboard" />
 		<saved name="SearchHeadLevel - access logs kvstore usage" />
 		<saved name="SearchHeadLevel - macros in use" />
 		<saved name="SearchHeadLevel - platform_stats.audit metrics searches" />

default/savedsearches.conf

@@ -8851,3 +8851,41 @@ search =  index=_internal sourcetype IN (splunkd_access, splunkd_ui_access) sour
 | eval search_head = host \
 | eval search_head_cluster=`search_head_cluster` \
 | stats max(_time) AS _time, count, values(method) as method by collection, user, app, search_head_cluster
+
+[SearchHeadLevel - indexes per dashboard]
+action.email.useNSSubject = 1
+alert.track = 0
+cron_schedule = 11 * * * *
+description = Report only? Yes. Determine the indexes in dashboards, you could use macro substitution to find more accurate results (as per the "SearchHeadLevel - Search Queries summary exact match" search, but this one is just a simple example). The report is similar to SearchHeadLevel - indexes per savedsearch.
+dispatch.earliest_time = -65m@m
+dispatch.latest_time = -5m@m
+display.events.fields = ["index","sourcetype","host"]
+display.general.type = statistics
+enableSched = 0
+request.ui_dispatch_app = SplunkAdmins
+request.ui_dispatch_view = search
+search = | rest `splunkadmins_restmacro` /servicesNS/-/-/data/ui/views f=eai:data f=title f=eai:appName timeout=900 \
+| fields title eai:appName eai:data splunk_server author \
+| search eai:data="*<search>*" \
+| xpath outfield=base_id "//search/@id" field=eai:data \
+| xpath outfield=query "//query" field=eai:data \
+| stats count by title, query, eai:appName \
+| rex field=query "\|?(?<generating_spl>[^\|]+)(\||.*)" \
+| rex field=query mode=sed "s/```.*?```/ /g" \
+| rex field=query "(?s)^(?P<prepipe>\s*\|?([^\|]+))" \
+| rex field=query max_match=50 "(?s)\|?\s*(union|set|multisearch)[^\[]+(?P<part1>\[.*?\](\s*\[.*?\])+\s*(`[^`]+`\s*)*(\||$|',\s+))" \
+| rex field=part1 max_match=50 "(?s).*?\[(?P<subsearch>.*?)\]\s*(\||$|)" \
+| rex field=query max_match=50 "(?s)\|?\s*(map)\s+(maxsearches\s*=\s*\d+)?\s*search\s*=\s*\"(?P<subsearch>.*?)\"\s*(\||$)" \
+| rex field=query "(?s)^(?P<prepipe>\s*\|?([^\|]+))" \
+| rex field=subsearch "(?s)^\s*\|?(?P<prepipe_subsearch>([^\|]+))" \
+| nomv prepipe_subsearch \
+| fillnull prepipe_subsearch value=" " \
+| eval prepipe = prepipe . " " . prepipe_subsearch \
+| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
+| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
+| makemv tokenizer="([^, ]+)" indexin \
+| eval indexes=mvappend(indexregex,indexin) \
+| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
+| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
+| eval indexes=mvdedup(indexes) \
+| stats values(indexes) AS indexes by title