Hello,
We have a few thousand savedsearches. Most of times that they are scheduled is at the top of the hour and its affecting performance across the enterprise. Is there a search i can run that shows me the name of the saved search, the next time it is scheduled and the owner? This way i can direct the owner to use cron schedule and use an off hour time to mitigate our performance issue.
Thank you
Give this a try. This uses cron-schedule of the search to identity if it's running every 1/5/10/15/20/30/60 min on the hours.
| rest /servicesNS/-/-/saved/searches splunk_server=local |where disabled=0 AND is_scheduled=1 | rex field=cron_schedule "(?<Min>\S+)\s+(?<Hr>\S+)\s+(?<Day>\S+)\s+(?<Mon>\S+)\s+(?<Wday>\S+)" | table author eai:acl.app title disabled is_scheduled cron_schedule Min Hr Day Mon Wday search | rename eai:acl.app as appName title as searchName
| eval searchType=case(cron_schedule="* * * * *", "Running Every Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/5"), "Running Every 5 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/10"), "Running Every 10 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/15"), "Running Every 15 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/20"), "Running Every 20 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "Running Every 30 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "On the hour",
match(cron_schedule,"^(\d+,\d+)+ \* \* \* \*$"), "Running Multiple times every hour",
match(cron_schedule,"^\d+ \* \* \* \*$"), "Running Every Hour",
match(cron_schedule,"^\d+ \d+ \* \* \*$"), "Running Daily",true(),"Other")
Give this a try. This uses cron-schedule of the search to identity if it's running every 1/5/10/15/20/30/60 min on the hours.
| rest /servicesNS/-/-/saved/searches splunk_server=local |where disabled=0 AND is_scheduled=1 | rex field=cron_schedule "(?<Min>\S+)\s+(?<Hr>\S+)\s+(?<Day>\S+)\s+(?<Mon>\S+)\s+(?<Wday>\S+)" | table author eai:acl.app title disabled is_scheduled cron_schedule Min Hr Day Mon Wday search | rename eai:acl.app as appName title as searchName
| eval searchType=case(cron_schedule="* * * * *", "Running Every Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/5"), "Running Every 5 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/10"), "Running Every 10 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/15"), "Running Every 15 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/20"), "Running Every 20 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "Running Every 30 Minute",
(Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "On the hour",
match(cron_schedule,"^(\d+,\d+)+ \* \* \* \*$"), "Running Multiple times every hour",
match(cron_schedule,"^\d+ \* \* \* \*$"), "Running Every Hour",
match(cron_schedule,"^\d+ \d+ \* \* \*$"), "Running Daily",true(),"Other")
Awesome. Thank you somesoni2!
Thanks for the assist!