Monitoring Console (MC) search activity is not rec...

brandy81 · ‎07-20-2021

Hi All,

At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection.

As I run the search, it is not recognizing saved search (scheduled search). Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches.

How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?

codebuilder · ‎07-23-2021

The DMC does indeed report on saved/scheduled searches. If you are not seeing them you might want to verify that all your instances are forwarding their _introspection logs and/or if they are properly configured for monitoring by the DMC.

See the following for more:
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/SearchactivityDeploymentwide
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/DMCprerequisites

----
An upvote would be appreciated and Accept Solution if it helps!

Monitoring Console (MC) search activity is not recognizing saved search (scheduled search)

monitoring console

search performance

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)