Solved: Can you help me build a search that finds schedule...

amirarsalan · ‎02-01-2019

Hi!

I need help with a search to find scheduled reports that are running. I want to know what are exactly running right now.

Is there someone who can help me with that?

chrisyounger · ‎02-01-2019

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

View solution in original post

mayurr98 · ‎02-01-2019

Hi you can see information regarding scheduled reports using this query:

index=_internal sourcetype=scheduler

have a look at this accepted answer:
https://answers.splunk.com/answers/345292/list-or-view-scheduled-searches.html

let me know if this helps!

chrisyounger · ‎02-01-2019

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

amirarsalan · ‎02-01-2019

Perfect this works.
I have another thing to ask, Can i like monitor the healt of splunk? Why i asking is because splunk went down for us a lot of times both today and yesterday. Its seams that someone is running i big search but im not shure. I dont know how to find the issue

chrisyounger · ‎02-01-2019

if you want to investigate all searches You can click Activity >Jobs at the top right of the screen.

If your splunk crashes, then check index=_internal source=*crash*

good luck

Can you help me build a search that finds scheduled reports that are running?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)