Splunk Search

Can I open Search Job Inspector for two different searches simultaneously?

XavierTaylor
Explorer

Using Splunk Enterprise 7.0.1 in the Microsoft Edge browser, I have two Splunk Search pages open (each one in a different Edge window).

I have two different versions of the same search, and I am comparing them for efficiency/speed.

This is not a production issue, I am just working on my understanding of Splunk.

After running the first version of the search, I click Job -> Inspect Job.

This causes a new Search Job Inspector Window to appear, with the Executation costs and other info for that search.

The problem is, when I go to open Search Job Inspector for the second search, so I can compare them side by side, the same Search Job Inspector window is used, quickly refreshing to contain the Search information about that second search.

A work around would be to have each search opened in a different browser, but other than this, is there an easy way to compare Search Job Inspector information for two searches side by side (either in the same window, or two separate ones?)

0 Karma
1 Solution

niketn
Legend

@XavierTaylor,

Option 1: Use REST API to get Search Job Details.

You need to perform the following two steps:

Step 1) Get the Search job SID either by adding following pipe | addinfo to your searches or from Job Inspector itself
Step 2) Pass the SID to following rest call to get the Search Job details | rest /services/search/jobs/<YourSearchJobSID>

For example I ran the following two searches with sid 1515741264.352 and 1515741251.351 respectively

| rest /services/search/jobs/1515741264.352
| append [| rest /services/search/jobs/1515741251.351] 

You can retain specific fields which you are interested in. REST API Reference document link: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Option 2: Search Job Manager in Splunk
If you are only interested in Search Job Run Duration to compare performance you can run the two searches and open the Job Manager from Activity > Jobs menu in Splunk which should have the searches and corresponding run duration in tabular format.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

elliotproebstel
Champion

The answer from @niketnilay is great, but I wanted to share a workaround I'd found for users who access Splunk via the Chrome browser.

After you open a job inspector window by clicking Job > Inspect Job, right click on the title bar at the top of the new window. Select the option Show as tab. This job inspector window will now stay open even if you open a new job inspector window, allowing you to lay both windows side by side. You can repeat this with multiple job inspector windows, allowing you to have as many open at once as you prefer.

EDITED TO ADD:
Another way to accomplish this in any browser is to load the job inspector window, copy the URL from the address bar, and then open a new tab in your primary browser window and paste in the URL.

XavierTaylor
Explorer

Thank you @elliotproebstel. I am really impressed with the helpfulness of this community, even on a fairly boring and minor question like this.

elliotproebstel
Champion

@XavierTaylor - Glad to help. I can't tell you how many times I frustrated myself by clobbering an open job inspector window by trying to open a second and forgetting what the impact would be. 🙂 So I can totally relate.

0 Karma

niketn
Legend

@XavierTaylor, we tend to make everything interesting 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@XavierTaylor,

Option 1: Use REST API to get Search Job Details.

You need to perform the following two steps:

Step 1) Get the Search job SID either by adding following pipe | addinfo to your searches or from Job Inspector itself
Step 2) Pass the SID to following rest call to get the Search Job details | rest /services/search/jobs/<YourSearchJobSID>

For example I ran the following two searches with sid 1515741264.352 and 1515741251.351 respectively

| rest /services/search/jobs/1515741264.352
| append [| rest /services/search/jobs/1515741251.351] 

You can retain specific fields which you are interested in. REST API Reference document link: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Option 2: Search Job Manager in Splunk
If you are only interested in Search Job Run Duration to compare performance you can run the two searches and open the Job Manager from Activity > Jobs menu in Splunk which should have the searches and corresponding run duration in tabular format.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

XavierTaylor
Explorer

Thank you very much. A great quality answer.

0 Karma

niketn
Legend

@XavierTaylor, I am glad you found it useful... Happy Friday!!! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...