Ok, Here's the dashboard you can copy and past within a brand new one from your Monitoring Console since it's using some rest commands.
Two kind of things to modify suiting your environment within <#SOMETHING#> in the code removing <##> and changing SOMETHING by what you have. 😛
The first two one is one of our Search Head Cluster member to retrieve user's context (Real Name and Roles)
Then we provide all our Splunk Search Heads Members using "ITGSPLKPRDSH*" hence having a naming convention (they are called itgsplkprdsh01, itgsplkprdsh02, itgsplkprdsh03, etc...)
Enjoy and may the Splunk be with you, always ! ^_^
<form>
<label>SPLK top users per runtime (clic on any line to get details of all search for that user within the bottom panel)</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="temps" searchWhenChanged="false">
<label>periode</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="usersfilterglobal">
<label>utilisateurs (par id)</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>user=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>title</fieldForLabel>
<fieldForValue>title</fieldForValue>
<search>
<query>|rest splunk_server=<#ONE OF YOUR SEARCH HEAD TO GET USER NAME AND ROLES#> /services/authentication/users | fields title | dedup title</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="multiselect" token="utilisateursfilterglobal">
<label>utilisateurs (par nom)</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>user=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>realname</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>|rest splunk_server=<#ONE OF YOUR SEARCH HEAD TO GET USER NAME AND ROLES#> /services/authentication/users | fields title , realname | rename title as user</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Top cumulative runtime by users and search type</title>
<table>
<search>
<query>`dmc_audit_get_searches(<#ITGSPLKPRDSH*#>)`| search $usersfilterglobal$ AND $utilisateursfilterglobal$| stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id
| where isnotnull(search) | stats median(total_run_time) as median_runtime Perc90(total_run_time) as Perc90_runtime sum(total_run_time) as cum_runtime count(search) as count max(_time) as last_use first(search) as search by user,search_type
| eval last_use = strftime(last_use, "%F %T")
| fields user, count, median_runtime, Perc90_runtime, cum_runtime, last_use,search,search_type | sort - cum_runtime
| rename user as user, count as "Search Count", median_runtime as "Median Runtime", Perc90_runtime as "90th Percentile Runtime", cum_runtime as "Cumulative Runtime", last_use as "Last Search"
| fieldformat "Median Runtime" = `dmc_convert_runtime('Median Runtime')`
| fieldformat "90th Percentile Runtime" = `dmc_convert_runtime('90th Percentile Runtime')`
| fieldformat "Cumulative Runtime" = `dmc_convert_runtime('Cumulative Runtime')` | join type=left user [|rest splunk_server=ITGSPLKPRDSH01 /services/authentication/users | fields title , realname, roles, defaultApp | rename title as user] | fields - search</query>
<earliest>$temps.earliest$</earliest>
<latest>$temps.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="usersel">$row.user$</set>
<set token="realnamesel">$row.realname$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>User $realnamesel$ ($usersel$) search activity</title>
<search>
<query>(search_id!="rsa_*" action=search host=<#ITGSPLKPRDSH*#> index=_audit sourcetype=audittrail) user=$usersel$
| eval search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(search_id,"^((rt_)?scheduler__|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other") | rex "(?ms)search='(?<searchstring>.*)', autojoin=" | eval search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name) | stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, values(searchstring) as searchstrings ,first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id
| where isnotnull(search) | stats median(total_run_time) as median_runtime, Perc90(total_run_time) as Perc90_runtime, sum(total_run_time) as cum_runtime, count as count, max(_time) as last_use first(searchstrings) as searchstrings by user,search_type,search | eval last_use = strftime(last_use, "%F %T")
| fields user, count, median_runtime, Perc90_runtime, cum_runtime, last_use,search,search_type searchstrings | sort - cum_runtime
| rename user as user, count as "Search Count", median_runtime as "Median Runtime", Perc90_runtime as "90th Percentile Runtime", cum_runtime as "Cumulative Runtime", last_use as "Last Search"
| fieldformat "Median Runtime" = `dmc_convert_runtime('Median Runtime')`
| fieldformat "90th Percentile Runtime" = `dmc_convert_runtime('90th Percentile Runtime')`
| fieldformat "Cumulative Runtime" = `dmc_convert_runtime('Cumulative Runtime')` | fields - user</query>
<earliest>$temps.earliest$</earliest>
<latest>$temps.latest$</latest>
</search>
<option name="count">100</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
... View more