Update savedsearches.conf

gjanders · web-flow · commit 6d9bca6050e3 · 2025-10-13T13:05:47.000+11:00
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -5355,7 +5355,7 @@ request.ui_dispatch_app = SplunkAdmins
 request.ui_dispatch_view = search
 search = ```Attempt to gather stats from the remote_searches log on the indexing tier relating to the searches from various search heads. These may include search heads where we do not see the _audit index. Added regex to ignore the strange presummarize that comes in from search heads that do not have accelerated reports...``` \
 index=_internal `indexerhosts` sourcetype=splunkd_remote_searches source="/opt/splunk/var/log/splunk/remote_searches.log" terminated: OR closed: ```Note that TERM(starting) has the apiStartTime, apiEndTime stats, but lacks the useful stats from a search that is complete. Also note that on indexers scan_count=events_count (in my testing). Finally various fields failed to auto-extract so regexes are used now, perhaps due to the length of some searches...``` \
-| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+), search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
+| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+),( cpuTime=\S+,)? search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
 | regex search!="^(pretypeahead|copybuckets)" \
 | regex search!="^presummarize (tstats=t maintain=\"\" summaryprefix=\"[^\"]+\"|maintain=\"%22SUMMARY_ID%22%2C%22EARLIEST_TIME%22%2C%22REMOTE_SEARCH%22%2C%22NORM_SUMMARY_ID%22%2C%22NORM_REMOTE_SEARCH%22%0A\" summaryprefix=\"[^\"]+\")\s*$" \
 | rex "drop_count=[0-9]+, scan_count=(?P<scan_count>[0-9]+)" \
@@ -5393,7 +5393,7 @@ request.ui_dispatch_app = SplunkAdmins
 request.ui_dispatch_view = search
 search = ```Attempt to determine index access via the remote_searches.log file, useful for when you cannot see the audit logs of all incoming search heads```\
     index=_internal sourcetype=splunkd_remote_searches source="/opt/splunk/var/log/splunk/remote_searches.log" terminated: OR closed: ```Note that TERM(starting) has the apiStartTime, apiEndTime stats, but lacks the useful stats from a search that is complete. Also note that on indexers scan_count=events_count (in my testing). Finally the elapsedTime sometimes failed to auto-extract, perhaps due to length...``` \
-| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+), search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
+| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+),( cpuTime=\S+,)? search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
 | regex search!="^(pretypeahead|copybuckets)" \
 | rex "drop_count=[0-9]+, scan_count=(?P<scan_count>[0-9]+)" \
 | rex "total_slices=[0-9]+, considered_buckets=(?P<considered_count>[0-9]+)" \
@@ -6207,7 +6207,7 @@ request.ui_dispatch_view = search
 search = ```This warning when occurring repetitively tends to indicate some kind of issue that will require the file to be manually removed. For example a zero sized metadata file that cannot be reaped by the dispatch reaper``` \
 index=_internal `indexerhosts` source=*remote_searches.log terminated: OR closed: \
 | regex search!="^(pretypeahead|copybuckets)" \
-| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+), search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
+| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+),( cpuTime=\S+,)? search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
 | rex "(terminated|closed): search_id=(?P<search_id>[^,]+)" \
 | regex search="^(litsearch|mcatalog|mstats|mlitsearch|litmstats|tstats|presummarize)" \
 | regex search_id="^remote" \
@@ -6667,7 +6667,7 @@ request.ui_dispatch_app = SplunkAdmins
 request.ui_dispatch_view = search
 search = ```Attempt to determine index access via the remote_searches.log file, useful for when you cannot see the audit logs of all incoming search heads. This version looks for wildcards and it is not expected to be super-accurate, as while we can determine the incoming server, and sometimes the incoming user from the search id we cannot accurately determine the roles of the user without building yet more lookups and complexity. Therefore this search exists only to roughly summarize if an index was ever accessed via wildcards or not at the indexing tier``` \
     index=_internal sourcetype=splunkd_remote_searches source="/opt/splunk/var/log/splunk/remote_searches.log" terminated: OR closed: ```Note that TERM(starting) has the apiStartTime, apiEndTime stats, but lacks the useful stats from a search that is complete. Also note that on indexers scan_count=events_count (in my testing). Finally the elapsedTime sometimes failed to auto-extract, perhaps due to length...``` \
-| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+), search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
+| rex "(?s) elapsedTime=(?P<elapsedTime>[0-9\.]+),( cpuTime=\S+,)? search='(?P<search>.*?)(', savedsearch_name|\", drop_count=\d+)" \
 | regex search!="^(pretypeahead|copybuckets)" \
 | rex "drop_count=[0-9]+, scan_count=(?P<scan_count>[0-9]+)" \
 | rex "total_slices=[0-9]+, considered_buckets=(?P<considered_count>[0-9]+)" \
