Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting Your searches

carmackd
Communicator
‎09-16-2010 05:28 PM

Is there anyway to count the number of searches ran on an indexer in a 24 hour period?

Tags (2)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

ftk
Motivator
‎09-16-2010 05:43 PM

The following gives you a total for all adhoc searches run in the past 24 hours:

index=_internal sourcetype="searches" earliest=-24h | stats count

And this one will give you a total for all searches, including saved searches run in the past 24 hours:

index=_internal (sourcetype="searches" OR SavedSplunker) earliest=-24h | stats count

And individual counts by user:

index=_internal (sourcetype="searches" OR SavedSplunker) earliest=-24h | stats count by user

View solution in original post

Reply
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎09-16-2010 06:58 PM

In the Search App in the Status > Search activity dashboards in Splunk 4.1.x there are dashboards containing the following searches:

Search load over time (last 24 hours)
Search count by user (last 24 hours)
Run time by user (last 24 hours)
Common searches (last hour)
CPU Utilization due to searches
etc.

If you have SplunkWeb running on the indexer these dashboards will display results for that indexer. I'm not sure if these dashboards are built out of the box for distributed search though.

View solution in original post

Reply
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎09-16-2010 06:58 PM

In the Search App in the Status > Search activity dashboards in Splunk 4.1.x there are dashboards containing the following searches:

Search load over time (last 24 hours)
Search count by user (last 24 hours)
Run time by user (last 24 hours)
Common searches (last hour)
CPU Utilization due to searches
etc.

If you have SplunkWeb running on the indexer these dashboards will display results for that indexer. I'm not sure if these dashboards are built out of the box for distributed search though.

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎09-16-2010 05:43 PM

The following gives you a total for all adhoc searches run in the past 24 hours:

index=_internal sourcetype="searches" earliest=-24h | stats count

And this one will give you a total for all searches, including saved searches run in the past 24 hours:

index=_internal (sourcetype="searches" OR SavedSplunker) earliest=-24h | stats count

And individual counts by user:

index=_internal (sourcetype="searches" OR SavedSplunker) earliest=-24h | stats count by user
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...