Reporting

Whats the best way to find the job id for loadjob

bmorgan
Explorer

The only place I have found the job id is embedded in the link on the jobs page. Is there a way to make the job id appear as a column?

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

There's no easy way to customize the Jobs page to show you the sid, no.

However, and A) this is crazy, B) this is possibly more work than you want to do, but....

you could take a different approach and build a custom dashboard from splunk's own audit logs. it's a strange, fun and quite splunk-ish thing to do.

This search will display info about your searches. Of course only users that can search the _audit index will see these events, so that's one strike right there. Nonetheless..

index=_audit action=search ( info=granted OR info=completed) | stats first(total_run_time) as run_time last(_time) as _time by search_id

This basically glues together the start and end events for each job into a single row, you get the time the job started as _time from the 'granted' event, but you get the total_run_time from the 'completed' event.

It'd be nice to wire up your dashboard table so that when you click on it you simply go to the correct permalink. Sadly we dont have anything out of the box that can convert the drilldown arguments (when you click on the table) into a nice redirect to "?sid=12321412321.321", but that would be something you could cook up in an application.js file, by overriding a single method on the correct ViewRedirector module.

As a less nice option, you could totally use what we call 'custom wiring' with drilldown, to make it so that when you click on the chart or table, that the drilldown search you go to is

`| loadjob 123121422231'

For more information see the "Advanced XML > Drilldown Examples" section within the "ui_examples" app on splunkbase.

View solution in original post

landen99
Motivator
| addinfo | table info_sid

| loadjob info_sid

sideview
SplunkTrust
SplunkTrust

There's no easy way to customize the Jobs page to show you the sid, no.

However, and A) this is crazy, B) this is possibly more work than you want to do, but....

you could take a different approach and build a custom dashboard from splunk's own audit logs. it's a strange, fun and quite splunk-ish thing to do.

This search will display info about your searches. Of course only users that can search the _audit index will see these events, so that's one strike right there. Nonetheless..

index=_audit action=search ( info=granted OR info=completed) | stats first(total_run_time) as run_time last(_time) as _time by search_id

This basically glues together the start and end events for each job into a single row, you get the time the job started as _time from the 'granted' event, but you get the total_run_time from the 'completed' event.

It'd be nice to wire up your dashboard table so that when you click on it you simply go to the correct permalink. Sadly we dont have anything out of the box that can convert the drilldown arguments (when you click on the table) into a nice redirect to "?sid=12321412321.321", but that would be something you could cook up in an application.js file, by overriding a single method on the correct ViewRedirector module.

As a less nice option, you could totally use what we call 'custom wiring' with drilldown, to make it so that when you click on the chart or table, that the drilldown search you go to is

`| loadjob 123121422231'

For more information see the "Advanced XML > Drilldown Examples" section within the "ui_examples" app on splunkbase.

sideview
SplunkTrust
SplunkTrust

Cool. Actually there are mechanisms to run what we call 'postprocess' searches against a job. Granted the user-editable module to use this mechanism is not widely used. However to see it you can download the ui_examples app from splunkbase and once its installed go to /app/ui_examples/simple_search_with_postprocess

0 Karma

bmorgan
Explorer

Actually the latter is preferable. The reason for the question was started by looking for the sid to use with loadjob as it allows further splunking of results, where ?sid=#foo# dose not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...