- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What was running at xx:xx
I would have thought this would be easy but I'm unsure how to do it. I had a very high cpu spike on one of the peers in my searchhead cluster. I would like to know what splunk jobs (scheduled or adhoc searches) were running at a certain time on a certain search head. Can someone help me with the appropriate search query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out David Paper's excellent dashboard that analyzes searches:
https://splunk-usergroups.slack.com/files/U04JY7N3G/FFGJD40AJ/extended_search_reporting.xml
https://gist.github.com/automine/06cdf246416223dacfa4edd895d0b7de
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
introspection logs contain details of the searches and all the good details such as their resource utilization, the user, app etc.
index=_introspection host=<your search head> sid
Hope this helps. Please mark as answer if this is what you were looking for.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you've Monitoring console setup for your deployment?? If you do, there are many good dashbaords available in the Monitoring Console to troubleshoot exactly that. e.g. https://docs.splunk.com/Documentation/Splunk/8.0.0/DMC/ResourceusageDeployment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found it in MC, thanks somesoni2!!!
