I was recently assisting a customer in an attempt to build a dashboard around usage patterns. One of the requirements was to detail the metrics around searching. Specifically, who is running searches and from where? In the vanilla Splunk Web interface, we package a dashboard that includes a view for unscheduled and scheduled search patterns. To get to this view, simply navigate to the main Splunk Web interface > Status pull-down > Search activity > Search details. While this is great, I ran into a problem with my metrics…
Since most users are querying Splunk through the API via a script, these searches appear as unscheduled occurrences. In this particular environment, these scripted searches occur tens of thousands of times a day! Manually picking through them would not be easy. After quite a bit of digging around, I found that there was no easy way to distinguish these API calls from UI calls. The closest thing I could do would be correlate UI activity with each search. This might not be ideal as I could have some overlap with scripted calls.
After picking the brain of our Search Language guy, Dr. Zhang, he stated a good representation would be to check the status_buckets setting. The flashtimeline view will utilize a status_buckets setting of 300, which can be found in the audit log by searching for the number of buckets. The final search (must be admin level role) would be:
index=_audit “buckets=300” | timechart count by user
The above search will give you the UI search count broken down by user. It can be very useful in determining usage patterns for Splunk users. For more detail around status_buckets, check out the API documentation (statusBuckets): http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch