topic Re: How to retrieve search name by search id in Splunk Search

How to retrieve search name by search id

danielwan — Tue, 29 Sep 2020 16:14:37 GMT

my splunk server has high CPU usage and I saw a bunch of splunkd process like below

search --id=admin_adminsearch_search9_xxxxx.yyyyy --maxbuckets=0 --ttl=600 --maxout=500000 --maxtime=8640000 --lookups=1 --reduce_freq=10 --user=admin --pro --roles=admin:can_delete:power:user

These searches seem to run periodically.

How could I look up scheduled/ad-hoc searches name by these search_ids, and furthermore, to retrieve the search query content?

Re: How to retrieve search name by search id

tlam_splunk — Fri, 13 Oct 2017 06:45:21 GMT

You could use the search id to find the corresponding search folder in the $SPLUNK_HOME/var/run/splunk/dispatch. Inside the search folder, you could find the search content for that particular search.

Re: How to retrieve search name by search id

niketn — Sat, 14 Oct 2017 04:29:25 GMT

@danielwan, you can use Splunk REST API to pull the search details along with Query, earliest and latest time and other details (you can also view search results). If you want to reuse/rerun the search you can use request.search, searchEarliestTime, searchLatestTime :

| rest /services/search/jobs/admin_adminsearch_search9_xxxxx.yyyyy
| table sid title eai:acl.app eai:acl.owner request.search searchEarliestTime searchLatestTime custom.dispatch.earliest_time custom.dispatch.latest_time

Please try and confirm. Following is the link to Splunk Documentation for Splunk REST API reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D

Re: How to retrieve search name by search id

efavreau — Fri, 25 Jan 2019 20:45:55 GMT

There's already an accepted answer. However, if that's not working for you, and you have the sid, then you can use index=_audit to get to the search. Note the search field has items that you probably don't want, so there's a couple rex commands to boil it down to only the SPL.

index=_audit search=* action=search search_id=*admin_adminsearch_search9_xxxxx.yyyyy* 
| rex "search='search (?<search>[^\e]+)" 
| rex mode=sed field=search "s/', autojoin=[^\e]+//g"

If this helps anyone, please upvote the answer!