https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80831#M16671 <P>I would like to get a total count of the number of scheduled searches and ad-hoc (UI based) searches that are run per day.</P> <P>In pre-5.x Splunk I could use:</P> <P>index=_internal (sourcetype=searches OR sourcetype=scheduler) | timechart span="1d" count(host) by sourcetype</P> <P>Apparently the sourcetype=searches no longer returns results.</P> Mon, 01 Jul 2013 12:45:54 GMT rmorlen 2013-07-01T12:45:54Z https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80831#M16671 <P>I would like to get a total count of the number of scheduled searches and ad-hoc (UI based) searches that are run per day.</P> <P>In pre-5.x Splunk I could use:</P> <P>index=_internal (sourcetype=searches OR sourcetype=scheduler) | timechart span="1d" count(host) by sourcetype</P> <P>Apparently the sourcetype=searches no longer returns results.</P> Mon, 01 Jul 2013 12:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80831#M16671 rmorlen 2013-07-01T12:45:54Z https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80832#M16672 <P>Also tried this but the numbers don't look right:</P> <P>index=_audit user!=splunk-system-user | stats count by action</P> Mon, 01 Jul 2013 13:22:22 GMT https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80832#M16672 rmorlen 2013-07-01T13:22:22Z https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80833#M16673 <P>Number of scheduled searches per day:</P> <P>index=_internal sourcetype="scheduler" | timechart span=1d count(savedsearch_name) by host | addtotals</P> Tue, 14 Jan 2014 18:36:05 GMT https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80833#M16673 rmorlen 2014-01-14T18:36:05Z https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80834#M16674 <P>If you are collecting process-level information for Splunk processes using the <A href="http://www.splunk.com/goto/sos">S.o.S app</A>'s <CODE>ps_sos.sh</CODE> scripted input, you can break down your daily search workload between scheduled and ad-hoc searches like so:</P> <PRE><CODE>`set_sos_index` sourcetype=ps host=&lt;indexer or search-head host&gt; | multikv | `get_splunk_process_type` | search type="searches" | rex field=ARGS "_--user=(?&lt;search_user&gt;.*?)_--" | rex field=ARGS "--id=(?&lt;sid&gt;.*?)_--" | rex field=sid "remote_(?&lt;search_head&gt;[^_]*?)_" | eval is_remote=if(like(sid,"%remote%"),"remote","local") | eval is_scheduled=if(like(sid,"%scheduler_%"),"scheduled","ad-hoc") | eval is_realtime=if(like(sid,"%rt_%"),"real-time","historical") | eval is_subsearch=if(like(sid,"%subsearch_%"),"subsearch","generic") | eval search_type=is_remote.", ".is_scheduled.", ".is_realtime | timechart span=1d dc(sid) AS "Search count" by is_scheduled </CODE></PRE> <P>Note that you'l need to run this search from within the context of the S.o.S app for the macros it uses to be available. You will also need for the <CODE>ps_sos.sh</CODE> scripted input to have been running for several days on the instance that you are targeting the search against.</P> Wed, 05 Feb 2014 02:16:37 GMT https://community.splunk.com/t5/Getting-Data-In/Number-of-scheduled-searches-and-ad-hoc-searches-per-day/m-p/80834#M16674 hexx 2014-02-05T02:16:37Z