I am looking for a search to find what all Dashboards are using Real Time Searches.
Like this:
|rest/servicesNS/-/-/data/ui/views
| regex eai:data="<earliest>rt"
| table splunk_server disabled title eai:acl.app eai:appName id
Like this:
|rest/servicesNS/-/-/data/ui/views
| regex eai:data="<earliest>rt"
| table splunk_server disabled title eai:acl.app eai:appName id
Hello Woodcock, I am getting below out put but unable to correlate. Can you please explain a bit - What it is referring to:
disabled title eai:acl.app eai:appName id
0 simple_search_realtime simple_xml_examples simple_xml_examples https://127.0.0.1:8089/servicesNS/nobody/simple_xml_examples/data/ui/views/simple_search_realtime
0 splunk_performance_metrics em_ss_portal_app em_ss_portal_app https://127.0.0.1:8089/servicesNS/nobody/em_ss_portal_app/data/ui/views/splunk_performance_metrics
What is there to correlate? You have the name of the search and the app that it is in. Just go look at it.
Got it, The only confusion was from the applications are coming "https://127.0.0.1:8089" doesnt make sense to me as I have 4 different Search Head Clustered environment.
I found the solution, Your query works fine here, I just molded it to get more information relevant to the exact searchhead by using field (splunk_server) in the table.
Thanks.
Ah, now I see what you mean; I updated my answer, too.
Hi gagandeep_arora,
as my previous answer:
use Splunk Distributed Monitoring Console App to monitor your search activity.
In addition you could use Search Activity App (https://splunkbase.splunk.com/app/2632/) but it isn't so easy to configure.
Bye.
Giuseppe