Splunk Search

Can you help me build a search that finds scheduled reports that are running?

Explorer

Hi!

I need help with a search to find scheduled reports that are running. I want to know what are exactly running right now.

Is there someone who can help me with that?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi you can see information regarding scheduled reports using this query:

index=_internal sourcetype=scheduler

have a look at this accepted answer:
https://answers.splunk.com/answers/345292/list-or-view-scheduled-searches.html

let me know if this helps!

SplunkTrust
SplunkTrust

Hi, try this search:

| rest /services/server/status/resource-usage/splunk-processes 
| dedup search_props.sid 
| search ("data.search_props.type"="datamodel acceleration" OR "data.search_props.type"="report acceleration" OR "data.search_props.type"="scheduled" OR "data.search_props.type"="summary indexing" OR "search_props.type"="datamodel acceleration" OR "search_props.type"="report acceleration" OR "search_props.type"="scheduled" OR "search_props.type"="summary indexing") 
| where (('search_props.mode' == "historical") OR ('search_props.mode' == "historical batch")) 
| fields + "search_props.name", "search_props.app", "search_props.user", "search_props.type", "search_props.mode", "search_props.role", mem_used, pct_cpu, elapsed, "search_props.sid" 
| eval mem_used=round(mem_used,0), pct_cpu=round(pct_cpu,0), elapsed=round(elapsed,0) 
| rename elapsed as "Time Spent (sec)", mem_used as "Memory Used (MB)", pct_cpu as "CPU Usage (%)", "search_props.app" as App, "search_props.mode" as Mode, "search_props.name" as "Scheduled Report Name", "search_props.role" as Role, "search_props.sid" as SID, "search_props.type" as Type, "search_props.user" as User

I Got it out of the monitoring console > search > Scheduler activity > click on the number of running jobs

good luck

View solution in original post

0 Karma

Explorer

Perfect this works.
I have another thing to ask, Can i like monitor the healt of splunk? Why i asking is because splunk went down for us a lot of times both today and yesterday. Its seams that someone is running i big search but im not shure. I dont know how to find the issue

0 Karma

SplunkTrust
SplunkTrust

if you want to investigate all searches You can click Activity >Jobs at the top right of the screen.

If your splunk crashes, then check index=_internal source=*crash*

good luck

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!