https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241477#M71815 <P>While early filtering is a good rule of thumb, in this instance remember the "where" command is categorized as a Distributable Streaming search process, so this would also be done at the index level and more importantly can be done BEFORE the final output, so it does not necessarily generate more traffic as Splunk will send it down as well knowing this fact about the "where" command.</P> <P>But, like I said, and learned from a great teacher I had, that is generally a good rule of thumb to follow <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Also, the above about Distributable Streaming goes for: eval, fields, rex, where, etc.</P> <P>For the curious, here's a great read to understand how searching works wrt different commands:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Typesofcommands">https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Typesofcommands</A></P> Mon, 28 Jan 2019 03:38:24 GMT trav271 2019-01-28T03:38:24Z https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241473#M71811 <P>Hello,</P> <P>Does anyone have a search command to find / list all scheduled searches, the time they should run at and the time they ran ? </P> <P>Thank you.</P> <P>Regards,<BR /> David</P> Fri, 22 Jan 2016 14:08:32 GMT https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241473#M71811 DavidHourani 2016-01-22T14:08:32Z https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241474#M71812 <P>You can view all the scheduled search using</P> <PRE><CODE>| rest /services/saved/searches | where is_scheduled=1 </CODE></PRE> <P>To get a history of scheduled search , check the internal logs</P> <PRE><CODE>index=_internal sourcetype=scheduler | table _time user savedsearch_name status scheduled_time run_time result_count </CODE></PRE> Fri, 22 Jan 2016 16:37:13 GMT https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241474#M71812 renjith_nair 2016-01-22T16:37:13Z https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241475#M71813 <P>Anyone got any ideas for this issue?!?!</P> Fri, 09 Nov 2018 11:40:37 GMT https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241475#M71813 inventsekar 2018-11-09T11:40:37Z https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241476#M71814 <P>As always, Splunk continues to improve and with the improvements, I would suggest a different search:</P> <PRE><CODE>| rest /services/saved/searches search="is_scheduled=1" </CODE></PRE> <P>What's the different between this and using <EM>rest</EM> with <EM>where</EM>?<BR /><BR /> In typically Splunk fashion, the earlier you do filtering, the more efficient the search should be. This should push the filtering down to the search peers which means they (potentially) return fewer results to the search head.</P> Mon, 07 Jan 2019 18:47:09 GMT https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241476#M71814 triest 2019-01-07T18:47:09Z https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241477#M71815 <P>While early filtering is a good rule of thumb, in this instance remember the "where" command is categorized as a Distributable Streaming search process, so this would also be done at the index level and more importantly can be done BEFORE the final output, so it does not necessarily generate more traffic as Splunk will send it down as well knowing this fact about the "where" command.</P> <P>But, like I said, and learned from a great teacher I had, that is generally a good rule of thumb to follow <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Also, the above about Distributable Streaming goes for: eval, fields, rex, where, etc.</P> <P>For the curious, here's a great read to understand how searching works wrt different commands:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Typesofcommands">https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Typesofcommands</A></P> Mon, 28 Jan 2019 03:38:24 GMT https://community.splunk.com/t5/Splunk-Search/List-or-View-Scheduled-searches/m-p/241477#M71815 trav271 2019-01-28T03:38:24Z