Splunk Search

Can you help me build a search that finds scheduled reports that are running?

amirarsalan
Explorer

Hi!

I need help with a search to find scheduled reports that are running. I want to know what are exactly running right now.

Is there someone who can help me with that?

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

View solution in original post

0 Karma

mayurr98
Super Champion

Hi you can see information regarding scheduled reports using this query:

index=_internal sourcetype=scheduler

have a look at this accepted answer:
https://answers.splunk.com/answers/345292/list-or-view-scheduled-searches.html

let me know if this helps!

chrisyounger
SplunkTrust
SplunkTrust

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

0 Karma

amirarsalan
Explorer

Perfect this works.
I have another thing to ask, Can i like monitor the healt of splunk? Why i asking is because splunk went down for us a lot of times both today and yesterday. Its seams that someone is running i big search but im not shure. I dont know how to find the issue

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

if you want to investigate all searches You can click Activity >Jobs at the top right of the screen.

If your splunk crashes, then check index=_internal source=*crash*

good luck

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...