Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me build a search that finds scheduled reports that are running?

amirarsalan
Explorer
‎02-01-2019 01:40 AM

Hi!

I need help with a search to find scheduled reports that are running. I want to know what are exactly running right now.

Is there someone who can help me with that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 01:44 AM

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎02-01-2019 01:45 AM

Hi you can see information regarding scheduled reports using this query:

index=_internal sourcetype=scheduler

have a look at this accepted answer:
https://answers.splunk.com/answers/345292/list-or-view-scheduled-searches.html

let me know if this helps!

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 01:44 AM

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

0 Karma
Reply
Solved! Jump to solution

amirarsalan
Explorer
‎02-01-2019 04:54 AM

Perfect this works.
I have another thing to ask, Can i like monitor the healt of splunk? Why i asking is because splunk went down for us a lot of times both today and yesterday. Its seams that someone is running i big search but im not shure. I dont know how to find the issue

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:21 AM

if you want to investigate all searches You can click Activity >Jobs at the top right of the screen.

If your splunk crashes, then check index=_internal source=*crash*

good luck

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...