topic Re: Splunk Searches in Splunk Search

Splunk Searches

whitecat001 — Thu, 16 May 2024 16:38:25 GMT

Pls what is the rest endpoint for searches that users are running

Re: Splunk Searches

deepakc — Thu, 16 May 2024 16:41:45 GMT

For running jobs - try this from the GUI - see the link for curl base CLI command

| rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | eval diskUsage_MB = round(diskUsage/1024/1024,2) | table user search_code, updated, search, runDuration, provenance, latestTime, owner, app diskUsage_MB

Here's the Rest API and others

https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#search.2Fjobs

Re: Splunk Searches

whitecat001 — Thu, 16 May 2024 17:04:31 GMT

Thanks for the response can i get a query that helps to show how much searches are been ran per indexes volume

Re: Splunk Searches

deepakc — Thu, 16 May 2024 17:58:40 GMT

Maybe this is what you need. Note, as far as I know there are no fields that show the index used by a search, that show the index used by searches, so you have to extract that from the SPL code, and index= can be all over the place in the code and also in macros, so its tricky, but may be this will work for you.

This shows the count of searches by index_used

| rest splunk_server=local /services/search/jobs | fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage | rename author AS user eai:acl.app AS app title AS search_code | rex field=search_code "(?<index_used>index\s*=\s*[^ ]+|index\s+IN|search\s*=\s*index=|search\s*=\s*inputlookup\s+in|index\s*=_\*)" | stats count(search_code) AS volume_of_searches_ran BY index_used | sort - volume_of_searches_ran