SH-Deployer/apps/splunk_health_overview/default/savedsearches.conf

[avail_indexes]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * 6
dispatch.earliest_time = -30d
dispatch.latest_time = now
disabled = false
enableSched = 1
search = | tstats values(sourcetype) AS sourcetype where index=* by index | mvexpand sourcetype | rename index AS title  | join type=left title [| rest /services/data/indexes | eval retention=frozenTimePeriodInSecs/60/60/24 | stats min(retention) AS retention by title] | rename title AS Index | table Index sourcetype retention | sort + Index | outputlookup avail_indexes.csv
run_on_startup = true


[server_lookup]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * 6
disabled = false
dispatch.earliest_time = 0
dispatch.latest_time = 
enableSched = 1
search = | rest splunk_server=* /services/server/info | mvexpand server_roles | search server_roles!=search_peer | rename server_roles AS role splunk_server AS host | table host guid role version | outputlookup all_servers.csv
run_on_startup = true

[server_lookup_v6_1]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * 6
disabled = true
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
enableSched = 1
search = index=_internal sourcetype=splunkd component=ServerRoles role!=license_slave* role!=search_peer* |rex field=role "(?<role>\S+)\." |dedup host role | join host [|rest splunk_server=* /services/server/info | rename serverName AS host | fields host guid version] | rename server_role AS role | table host role guid version | outputlookup all_servers.csv

[savedsearch_state_lookup]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
disabled = 0
dispatch.earliest_time = -1h@h
dispatch.latest_time = now
enableSched = 1
search = index=_internal sourcetype=scheduler OR (sourcetype=splunk_web_service "loading saved search") OR (sourcetype=splunkd_access method=POST /saved/searches)    | rex "\/saved\/searches\/(?<savedsearch_name>[^/]+) HTTP?"     | rex "saved\ssearch\s\"\/\w+\/(?<user>\w+)\/(?<app>\w+)\/\w+\/\w+\/(?<savedsearch_name>.+)\"\s"   | eval savedsearch_name=urldecode(savedsearch_name)    | search savedsearch_name!=_ACCELERATE* | stats avg(run_time) AS "Avg Runtime" max(run_time) AS "Max Runtime" min(_time) as first_time,max(_time) as last_time by savedsearch_name  | inputlookup append=T savedsearch_runtimes.csv | stats max("Max Runtime") AS "Max Runtime" max("Avg Runtime") AS "Avg Runtime" min(first_time) as first_time, max(last_time) as last_time by savedsearch_name  | outputlookup savedsearch_runtimes.csv