Hey Splunkers,
I am trying to fine tune usage of our Splunk Cloud instance to reduce instances of concurrent searches and I am looking to turn off acceleration for unused data models to assist in this effort.
How do I use search to find data model usage by users for a specific app? I'd assume index=_internal and sourcetype=splunkd would be a good place to start but I'm having trouble finding the standard Splunk fields for "data_model". Are there any?
Thanks!
Try if this helps,
you will get the search_id, searches, datamodel names - from there you may do stats
index=_audit NOT(user="splunk-system-user" OR user="admin") action=search info=granted search=*datamodel* NOT "search_id='scheduler" NOT "search='|history" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0"|rex field=_raw "datamodel=(?<datamodel>\S+)"|fields search_id, search,datamodel