https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/682118#M233057 <P>You can get cleaner results by adding a table.<BR /><BR /></P><LI-CODE lang="markup">|rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, splunk_server, title</LI-CODE> Wed, 27 Mar 2024 15:26:01 GMT pnodine1 2024-03-27T15:26:01Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292020#M88190 <P>We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?</P> Mon, 08 Jun 2020 18:07:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292020#M88190 ddrillic 2020-06-08T18:07:00Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292021#M88191 <P>hey @ddrillic</P> <P>try this</P> <PRE><CODE>| rest /services/search/jobs | search eventSorting=realtime </CODE></PRE> <P>I hope that helps you!</P> Tue, 09 Jan 2018 16:33:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292021#M88191 mayurr98 2018-01-09T16:33:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292022#M88192 <P>I have this running as an alert to let me know who is running rt searches, and how long for</P> <PRE><CODE>| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title </CODE></PRE> Tue, 09 Jan 2018 16:38:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292022#M88192 nickhills 2018-01-09T16:38:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292023#M88193 <P>use <CODE>|rest /services/search/jobs|search isRealTimeSearch=1</CODE> to see if that gets you what you need. <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs">http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs</A> documentation to know what fields you might want</P> Tue, 09 Jan 2018 16:38:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292023#M88193 cmerriman 2018-01-09T16:38:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292024#M88194 <P>According to the documentation below, there is not an option for eventSorting=realtime. <BR /> Indicates if the events of this search are sorted, and in which order. <BR /> asc = ascending;</P> <P>desc = descending;</P> <P>none = not sorted</P> <P>Would the actual setting to be used be isRealTimeSearch?</P> Tue, 02 Jun 2020 12:53:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/292024#M88194 adobrzeniecki 2020-06-02T12:53:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/511797#M143505 <P>|rest /services/search/jobs|search isRealTimeSearch=1<SPAN>&nbsp;</SPAN></P><P><SPAN>works however it doesn't seem to work on expired jobs.</SPAN></P> Thu, 30 Jul 2020 16:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/511797#M143505 splunkreal 2020-07-30T16:49:57Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/682118#M233057 <P>You can get cleaner results by adding a table.<BR /><BR /></P><LI-CODE lang="markup">|rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, splunk_server, title</LI-CODE> Wed, 27 Mar 2024 15:26:01 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/682118#M233057 pnodine1 2024-03-27T15:26:01Z https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/703838#M238526 <P>try this:</P> <LI-CODE lang="markup">index=_audit action=search is_realtime=1 | eval search_type=case( search_id LIKE "scheduler%", "Scheduled Search", search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search", search_id LIKE "dashboard%", "Dashboard", search_id LIKE "adhoc%", "Ad-hoc Search", 1=1, "Ad-hoc Search" ) | eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S") | stats count by user, search_type, _time | rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count" | sort - "Time"</LI-CODE> Thu, 07 Nov 2024 18:31:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-identify-real-time-searches/m-p/703838#M238526 Dallastek1 2024-11-07T18:31:17Z