All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?

jwoger_splunk
Splunk Employee
Splunk Employee
‎02-03-2015 01:20 PM
 
Reply
1 Solution
Solved! Jump to solution
Solution

RicoSuave
Builder
‎02-03-2015 01:22 PM

Assuming you have the ps_sos script enabled in your environment from the SOS app, you can use the following search.

index=sos sourcetype=ps [search index=_audit action=search user=* (apiStartTime='ZERO_TIME' AND apiEndTime='ZERO_TIME') | rex field=_raw "search_id\=\'(?<scrubbedsearch>\w+\.\w+)" | eval ARGS="*" + scrubbedsearch + "*" | fields + ARGS] | fields + PID | DEDUP PID | table PID

This will give you the following output:

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

RicoSuave
Builder
‎02-03-2015 01:22 PM

Assuming you have the ps_sos script enabled in your environment from the SOS app, you can use the following search.

index=sos sourcetype=ps [search index=_audit action=search user=* (apiStartTime='ZERO_TIME' AND apiEndTime='ZERO_TIME') | rex field=_raw "search_id\=\'(?<scrubbedsearch>\w+\.\w+)" | eval ARGS="*" + scrubbedsearch + "*" | fields + ARGS] | fields + PID | DEDUP PID | table PID

This will give you the following output:

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-13-2015 12:03 AM

Splunk only processes time beyond the unix epoch event i.e. 1/1/1970 so 1969 and earlier wont work for you

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎02-13-2015 01:01 PM

While true, 1969-12-31 4pm Pacific time is the epoch (time = 0), so theoretically I should get 0 rather than null.

0 Karma
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-13-2015 04:11 PM

Aah.. excellent point. I didn't parse the string before commenting..

Looks like a bug in that case, it seems to ignore the UTC offset in the calculation. You might want to add a tag for bug to see if someone can help.

I tried locally with the below code which should have worked but no dice..

| gentimes start=-1 | eval time="1970-01-01T10:00:00+1000" | eval timestamp=strptime(time,"%Y-%m-%dT%H:%M:%S%z") | eval timelocal=strftime(timestamp,"%Y-%m-%dT%H:%M:%S%z")| table time,timestamp,timelocal
0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎02-12-2015 04:39 PM

I was trying to do something with | rest /services/search/jobs, since it has PID and earliestTime, but for some reason my strptime call isn't parsing 1969-12-31T16:00:00-08:00 for me. Maybe somebody else can give that a whack.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...