Monitoring Console (MC) search activity is not rec...

brandy81 · ‎07-20-2021

Hi All,

At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection.

As I run the search, it is not recognizing saved search (scheduled search). Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches.

How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?

codebuilder · ‎07-23-2021

The DMC does indeed report on saved/scheduled searches. If you are not seeing them you might want to verify that all your instances are forwarding their _introspection logs and/or if they are properly configured for monitoring by the DMC.

See the following for more:
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/SearchactivityDeploymentwide
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/DMCprerequisites

----
An upvote would be appreciated and Accept Solution if it helps!

Monitoring Console (MC) search activity is not recognizing saved search (scheduled search)

monitoring console

search performance

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?