I am investigating higher CPU usage on my indexers, and am finding that this is a hard topic to really pinpoint.

I run this search on my search head to identify different searches and the resource consumption, but the results are confusing me.

index=_introspection host=* source=*/resource_usage.log* component=PerProcess data.process_type="search" 
 | stats latest(data.pct_cpu) AS resource_usage_cpu latest(data.mem_used) AS resource_usage_mem by  _time, data.search_props.type,data.search_props.mode,data.search_props.user, data.search_props.app, host data.search_props.label data.elapsed data.search_props.search_head
 | sort - resource_usage_cpu

From this, I can see that the search:

1) Was triggered from sh02

2) Was executed across several my indexers

3) Took ~1500 seconds to run

4) Consumed ~1 core on each instance

BUT:

The search is scheduled for once a day, and that time is not 10:23. It is scheduled for 11. (No window)

There  are dozens on "instances" of this search being executed on all 10 of my indexers, triggered by sh02, in the ~10:22 timeframe. Maybe one row in the table above per indexer might make sense, but this is so many.

What is happening here? How do I read these results to make a sane performance judgement about this situation?