topic Re: How can find out what search query was executed for a particular search job id? in Splunk Search

How can find out what search query was executed for a particular search job id?

Michael_Wilde — Fri, 26 Mar 2010 01:47:44 GMT

I'm trying to map search performance to specific searches. I have to discover if its possible to marry up a job ID to the search that was executed. Any idea where to start?

Re: How can find out what search query was executed for a particular search job id?

Chris_R_ — Sat, 27 Mar 2010 06:05:18 GMT

One way to match up the job id to your search.

After running a search the artifacts should be kept on your filesystem under /var/run/splunk/dispatch// Under that dir a status.csv file should hold the actual search terms, along with "run time" and various other fields. The searches.log will show what the search is actually doing.

Re: How can find out what search query was executed for a particular search job id?

Michael_Wilde — Mon, 29 Mar 2010 22:39:08 GMT

I was hoping a log in Splunk would reveal it. The web access log shows some of the search query, but its an HTTP post, so its all mangled with escaped characters.

Should i index those "status.csv" files?

Re: How can find out what search query was executed for a particular search job id?

Chris_R_ — Tue, 30 Mar 2010 04:30:12 GMT

To check within splunk you could login to your management port via https https://:8089/services/search/jobs/

After you perform a recent search in your UI you should see the most recent job artifacts there, Not entirely positive this data matches what it's /var/run/splunk/dispatch

Re: How can find out what search query was executed for a particular search job id?

jrodman — Thu, 08 Apr 2010 23:21:43 GMT

The splunk audit.log should map search requests to job ids, which is available in (correction) the audit index.

Re: How can find out what search query was executed for a particular search job id?

Johnvey — Fri, 09 Apr 2010 01:52:24 GMT

In 4.1, there is a job inspector available via the flashtimeline. In the "Actions" menu, choose "Inspect search..." to see all the details of the current job. This inspector is also linked from dashboard panels when there are no results displayed.

Re: How can find out what search query was executed for a particular search job id?

Michael_Wilde — Fri, 09 Apr 2010 12:36:41 GMT

I'd like to see that in a log as well.

Re: How can find out what search query was executed for a particular search job id?

Michael_Wilde — Fri, 09 Apr 2010 12:37:11 GMT

Splunk's logs do not contain the search query text related to a job id

Re: How can find out what search query was executed for a particular search job id?

jrodman — Mon, 28 Sep 2020 09:11:25 GMT

Really? Isn't this precisely that?

03-19-2010 14:09:33.277 INFO AuditLogger - Audit:[timestamp=03-19-2010 14:09:33.277, user=admin, action=search, info=granted , search_id="1269032973.28", search='search * | head 10', autojoin=1, buckets=300, ttl=600, max_count=10000, maxtime=0, enable_lookups=1, extra_fields="*", apiStartTime="Thu Mar 18 14:00:00 2010", apiEndTime="Fri Mar 19 14:09:33 2010"][n/a]