Monitoring Console (MC) search activity is not rec...

brandy81 · ‎07-20-2021

Hi All,

At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection.

As I run the search, it is not recognizing saved search (scheduled search). Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches.

How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?

codebuilder · ‎07-23-2021

The DMC does indeed report on saved/scheduled searches. If you are not seeing them you might want to verify that all your instances are forwarding their _introspection logs and/or if they are properly configured for monitoring by the DMC.

See the following for more:
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/SearchactivityDeploymentwide
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/DMCprerequisites

----
An upvote would be appreciated and Accept Solution if it helps!

Monitoring Console (MC) search activity is not recognizing saved search (scheduled search)

monitoring console

search performance

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)