Re: Help debugging job inspector data

gesman · ‎02-18-2015

When i run search:
index=my_summary sourcetype=stash ip=13.13.137.13 | head 5

Job inspector's "normalizedSearch" as well as "remoteSearch" shows this:

litsearch index=my_summary sourcetype=stash ( ( ( sourcetype=access_combined_wcookie ) AND ( ( clientip="13.13.137.13" ) ) ) OR ( ( sourcetype=mnxxx ) AND ( ( vxxxIP="13.13.137.13" ) ) ) OR ( ( sourcetype=ncxxx ) AND ( ( SUBJECT_IP="13.13.137.13" ) ) ) ) OR ( ip="13.13.137.13" ) | litsearch index=my_summary sourcetype=stash ip=13.13.137.13 | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | prehead limit=5 null=false keeplast=false

Why litsearch looking for other sourcetypes I did not explicitly requested?
Why litsearch query seemingly appears twice running similar query?
How to judge the performance of query from job Inspector's data (besides using runDuration value)?

dominiquevocat · ‎08-04-2016

Um, maybe limiting search commands in one of the roles you have?

Help debugging job inspector data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation