Splunk Search

Can I open Search Job Inspector for two different searches simultaneously?

Explorer

Using Splunk Enterprise 7.0.1 in the Microsoft Edge browser, I have two Splunk Search pages open (each one in a different Edge window).

I have two different versions of the same search, and I am comparing them for efficiency/speed.

This is not a production issue, I am just working on my understanding of Splunk.

After running the first version of the search, I click Job -> Inspect Job.

This causes a new Search Job Inspector Window to appear, with the Executation costs and other info for that search.

The problem is, when I go to open Search Job Inspector for the second search, so I can compare them side by side, the same Search Job Inspector window is used, quickly refreshing to contain the Search information about that second search.

A work around would be to have each search opened in a different browser, but other than this, is there an easy way to compare Search Job Inspector information for two searches side by side (either in the same window, or two separate ones?)

0 Karma
1 Solution

Legend

@XavierTaylor,

Option 1: Use REST API to get Search Job Details.

You need to perform the following two steps:

Step 1) Get the Search job SID either by adding following pipe | addinfo to your searches or from Job Inspector itself
Step 2) Pass the SID to following rest call to get the Search Job details | rest /services/search/jobs/<YourSearchJobSID>

For example I ran the following two searches with sid 1515741264.352 and 1515741251.351 respectively

| rest /services/search/jobs/1515741264.352
| append [| rest /services/search/jobs/1515741251.351] 

You can retain specific fields which you are interested in. REST API Reference document link: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Option 2: Search Job Manager in Splunk
If you are only interested in Search Job Run Duration to compare performance you can run the two searches and open the Job Manager from Activity > Jobs menu in Splunk which should have the searches and corresponding run duration in tabular format.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

The answer from @niketnilay is great, but I wanted to share a workaround I'd found for users who access Splunk via the Chrome browser.

After you open a job inspector window by clicking Job > Inspect Job, right click on the title bar at the top of the new window. Select the option Show as tab. This job inspector window will now stay open even if you open a new job inspector window, allowing you to lay both windows side by side. You can repeat this with multiple job inspector windows, allowing you to have as many open at once as you prefer.

EDITED TO ADD:
Another way to accomplish this in any browser is to load the job inspector window, copy the URL from the address bar, and then open a new tab in your primary browser window and paste in the URL.

Explorer

Thank you @elliotproebstel. I am really impressed with the helpfulness of this community, even on a fairly boring and minor question like this.

@XavierTaylor - Glad to help. I can't tell you how many times I frustrated myself by clobbering an open job inspector window by trying to open a second and forgetting what the impact would be. 🙂 So I can totally relate.

0 Karma

Legend

@XavierTaylor, we tend to make everything interesting 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

@XavierTaylor,

Option 1: Use REST API to get Search Job Details.

You need to perform the following two steps:

Step 1) Get the Search job SID either by adding following pipe | addinfo to your searches or from Job Inspector itself
Step 2) Pass the SID to following rest call to get the Search Job details | rest /services/search/jobs/<YourSearchJobSID>

For example I ran the following two searches with sid 1515741264.352 and 1515741251.351 respectively

| rest /services/search/jobs/1515741264.352
| append [| rest /services/search/jobs/1515741251.351] 

You can retain specific fields which you are interested in. REST API Reference document link: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Option 2: Search Job Manager in Splunk
If you are only interested in Search Job Run Duration to compare performance you can run the two searches and open the Job Manager from Activity > Jobs menu in Splunk which should have the searches and corresponding run duration in tabular format.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Explorer

Thank you very much. A great quality answer.

0 Karma

Legend

@XavierTaylor, I am glad you found it useful... Happy Friday!!! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!