Reporting

Whats the best way to find the job id for loadjob

bmorgan
Explorer

The only place I have found the job id is embedded in the link on the jobs page. Is there a way to make the job id appear as a column?

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

There's no easy way to customize the Jobs page to show you the sid, no.

However, and A) this is crazy, B) this is possibly more work than you want to do, but....

you could take a different approach and build a custom dashboard from splunk's own audit logs. it's a strange, fun and quite splunk-ish thing to do.

This search will display info about your searches. Of course only users that can search the _audit index will see these events, so that's one strike right there. Nonetheless..

index=_audit action=search ( info=granted OR info=completed) | stats first(total_run_time) as run_time last(_time) as _time by search_id

This basically glues together the start and end events for each job into a single row, you get the time the job started as _time from the 'granted' event, but you get the total_run_time from the 'completed' event.

It'd be nice to wire up your dashboard table so that when you click on it you simply go to the correct permalink. Sadly we dont have anything out of the box that can convert the drilldown arguments (when you click on the table) into a nice redirect to "?sid=12321412321.321", but that would be something you could cook up in an application.js file, by overriding a single method on the correct ViewRedirector module.

As a less nice option, you could totally use what we call 'custom wiring' with drilldown, to make it so that when you click on the chart or table, that the drilldown search you go to is

`| loadjob 123121422231'

For more information see the "Advanced XML > Drilldown Examples" section within the "ui_examples" app on splunkbase.

View solution in original post

landen99
Motivator
| addinfo | table info_sid

| loadjob info_sid

sideview
SplunkTrust
SplunkTrust

There's no easy way to customize the Jobs page to show you the sid, no.

However, and A) this is crazy, B) this is possibly more work than you want to do, but....

you could take a different approach and build a custom dashboard from splunk's own audit logs. it's a strange, fun and quite splunk-ish thing to do.

This search will display info about your searches. Of course only users that can search the _audit index will see these events, so that's one strike right there. Nonetheless..

index=_audit action=search ( info=granted OR info=completed) | stats first(total_run_time) as run_time last(_time) as _time by search_id

This basically glues together the start and end events for each job into a single row, you get the time the job started as _time from the 'granted' event, but you get the total_run_time from the 'completed' event.

It'd be nice to wire up your dashboard table so that when you click on it you simply go to the correct permalink. Sadly we dont have anything out of the box that can convert the drilldown arguments (when you click on the table) into a nice redirect to "?sid=12321412321.321", but that would be something you could cook up in an application.js file, by overriding a single method on the correct ViewRedirector module.

As a less nice option, you could totally use what we call 'custom wiring' with drilldown, to make it so that when you click on the chart or table, that the drilldown search you go to is

`| loadjob 123121422231'

For more information see the "Advanced XML > Drilldown Examples" section within the "ui_examples" app on splunkbase.

sideview
SplunkTrust
SplunkTrust

Cool. Actually there are mechanisms to run what we call 'postprocess' searches against a job. Granted the user-editable module to use this mechanism is not widely used. However to see it you can download the ui_examples app from splunkbase and once its installed go to /app/ui_examples/simple_search_with_postprocess

0 Karma

bmorgan
Explorer

Actually the latter is preferable. The reason for the question was started by looking for the sid to use with loadjob as it allows further splunking of results, where ?sid=#foo# dose not.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...