Hi Everyone!
I need some help to identify which user are running longest/bad searches. Sometimes splunk goes very slow and it indicate that someone running searches/jobs that is not god and I want to identify who it is and see the search string for that user.
Someone that can help me with a query
The _audit index should have this information.
This would show a list of searches sorted by execution time by user:
index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | table search total_run_time user | sort - total_run_time
You could also look at which users have the longest running searches on average:
index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | stats avg(total_run_time) by user
Hi @asneed_eu
Thanks for your replay. It seems to works but i can only see my username. Can't see other users.
Beside that I can't see the total_run_time and on the search field it's only "*"
its out of the box with the MC (DMC)
search -> activity -> Search Usage Statistics: Deployment
Hi @adonio
Is this in splunk-master? If it is then i can only see users that have access to splunk-master, and that is only 3 persons.
not the Cluster Master, its called Splunk Monitoring Console.
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/DMCoverview
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/Searchusagestatistics
I can only see "Add Data" there is no Splunk Monitoring Console. I can only found it in master.
And i'm a admin user