Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me build a search that finds schedule...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amirarsalan
Explorer
02-01-2019
01:40 AM
Hi!
I need help with a search to find scheduled reports that are running. I want to know what are exactly running right now.
Is there someone who can help me with that?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisyounger
SplunkTrust
02-01-2019
01:44 AM
Hi, try this search:
| rest /services/server/status/resource-usage/splunk-processes
| dedup search_props.sid
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing")
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch"))
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid"
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0)
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User
I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs
good luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
02-01-2019
01:45 AM
Hi you can see information regarding scheduled reports using this query:
index=_internal sourcetype=scheduler
have a look at this accepted answer:
https://answers.splunk.com/answers/345292/list-or-view-scheduled-searches.html
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisyounger
SplunkTrust
02-01-2019
01:44 AM
Hi, try this search:
| rest /services/server/status/resource-usage/splunk-processes
| dedup search_props.sid
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing")
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch"))
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid"
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0)
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User
I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs
good luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amirarsalan
Explorer
02-01-2019
04:54 AM
Perfect this works.
I have another thing to ask, Can i like monitor the healt of splunk? Why i asking is because splunk went down for us a lot of times both today and yesterday. Its seams that someone is running i big search but im not shure. I dont know how to find the issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisyounger
SplunkTrust
02-01-2019
10:21 AM
if you want to investigate all searches You can click Activity >Jobs at the top right of the screen.
If your splunk crashes, then check index=_internal source=*crash*
good luck
Get Updates on the Splunk Community!
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...
.conf24 | Session Scheduler is Live!!
.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
