Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to track scheduled search which are using "All Time" time window?

athorat
Communicator
‎06-29-2023 06:36 PM

We have a few users scheduling searches using "all time", time frame.

How can I track those knowledge objets and delete / Pause them?

Labels (1)
Labels
Preview file
144 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2023 12:32 AM

Hi @athorat,

adding a bit to the perfect answer of @danspav, you could disable the all time searches for the role of these users putting a limit to the time frame that they can use.

Ciao.

Giuseppe

0 Karma
Reply

danspav
SplunkTrust
SplunkTrust
‎06-29-2023 08:39 PM

Hi @athorat,

You can see all the scheduled searches that are enabled with an earliest time as "all time" with the below:

 

 

| rest /servicesNS/-/-/saved/searches search="is_scheduled=1" search="disabled=0" search="dispatch.earliest_time=0"  timeout=0
| table dispatch.earliest_time, title, eai:acl.app, eai:acl.owner, search

 

 

 

However, people can get around this by:

  • Using the term "earliest=-10y" in their searches
  • Using 1 instead of 0 for the dispatch.earliest_time
  • Hiding the earliest/latest in a macro or subsearch

But that should find the immediate culprits for you.

 

You can also look in the _audit index to find searches being run with all time:

 

 

index=_audit action=search info=completed search_et IN(0,"N/A")
| stats count, sum(total_run_time) as total_run_time values(provenance) as provenance by app, user
| fieldformat total_run_time=tostring(total_run_time,"duration")
| sort - total_run_time

 

 

There are ways to avoid appearing in this search, but that should give you a good starting point.

Cheers,
Daniel

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...