Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I identify real time searches?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
01-09-2018
08:19 AM
We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-09-2018
08:33 AM
hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
01-09-2018
08:38 AM
use |rest /services/search/jobs|search isRealTimeSearch=1 to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkreal
Motivator
07-30-2020
09:39 AM
|rest /services/search/jobs|search isRealTimeSearch=1
works however it doesn't seem to work on expired jobs.
* If this helps, please upvote or accept solution if it solved *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dallastek1
Path Finder
11-07-2024
10:19 AM
try this:
index=_audit action=search is_realtime=1
| eval search_type=case(
search_id LIKE "scheduler%", "Scheduled Search",
search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search",
search_id LIKE "dashboard%", "Dashboard",
search_id LIKE "adhoc%", "Ad-hoc Search",
1=1, "Ad-hoc Search"
)
| eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count by user, search_type, _time
| rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count"
| sort - "Time"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
01-09-2018
08:38 AM
I have this running as an alert to let me know who is running rt searches, and how long for
| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adobrzeniecki
Path Finder
06-02-2020
05:53 AM
According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;
desc = descending;
none = not sorted
Would the actual setting to be used be isRealTimeSearch?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-09-2018
08:33 AM
hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pnodine1
Engager
03-27-2024
08:26 AM
You can get cleaner results by adding a table.
|rest /services/search/jobs
| search eventSorting=realtime
| table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch,
performance.dispatch.stream.local.duration_secs, runDuration,
splunk_server, title
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
