Re: identify which user is doing longest searches

amirarsalan · ‎07-10-2019

Hi Everyone!

I need some help to identify which user are running longest/bad searches. Sometimes splunk goes very slow and it indicate that someone running searches/jobs that is not god and I want to identify who it is and see the search string for that user.

Someone that can help me with a query

asneed_eu · ‎07-10-2019

The _audit index should have this information.

This would show a list of searches sorted by execution time by user:

index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | table search total_run_time user | sort - total_run_time

You could also look at which users have the longest running searches on average:

index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | stats avg(total_run_time) by user

amirarsalan · ‎07-11-2019

Hi @asneed_eu

Thanks for your replay. It seems to works but i can only see my username. Can't see other users.

amirarsalan · ‎07-11-2019

Beside that I can't see the total_run_time and on the search field it's only "*"

adonio · ‎07-10-2019

its out of the box with the MC (DMC)
search -> activity -> Search Usage Statistics: Deployment

amirarsalan · ‎07-11-2019

Hi @adonio

Is this in splunk-master? If it is then i can only see users that have access to splunk-master, and that is only 3 persons.

adonio · ‎07-11-2019

not the Cluster Master, its called Splunk Monitoring Console.
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/DMCoverview
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/Searchusagestatistics

amirarsalan · ‎07-11-2019

I can only see "Add Data" there is no Splunk Monitoring Console. I can only found it in master.
And i'm a admin user

identify which user is doing longest searches

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms