Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I identify real time searches?

ddrillic
Ultra Champion
‎01-09-2018 08:19 AM

We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:33 AM

hey @ddrillic

try this

| rest /services/search/jobs | search eventSorting=realtime

I hope that helps you!

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-09-2018 08:38 AM

use |rest /services/search/jobs|search isRealTimeSearch=1 to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want

Reply
Solved! Jump to solution

splunkreal
Motivator
‎07-30-2020 09:39 AM

|rest /services/search/jobs|search isRealTimeSearch=1 

works however it doesn't seem to work on expired jobs.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

Dallastek1
Path Finder
‎11-07-2024 10:19 AM

try this:

index=_audit action=search is_realtime=1
| eval search_type=case(
search_id LIKE "scheduler%", "Scheduled Search",
search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search",
search_id LIKE "dashboard%", "Dashboard",
search_id LIKE "adhoc%", "Ad-hoc Search",
1=1, "Ad-hoc Search"
)
| eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count by user, search_type, _time
| rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count"
| sort - "Time"
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-09-2018 08:38 AM

I have this running as an alert to let me know who is running rt searches, and how long for

| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState,  eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

adobrzeniecki
Path Finder
‎06-02-2020 05:53 AM

According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;

desc = descending;

none = not sorted

Would the actual setting to be used be isRealTimeSearch?

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:33 AM

hey @ddrillic

try this

| rest /services/search/jobs | search eventSorting=realtime

I hope that helps you!

Reply
Solved! Jump to solution

pnodine1
Engager
‎03-27-2024 08:26 AM

You can get cleaner results by adding a table.

|rest /services/search/jobs 
| search eventSorting=realtime 
| table label, author, dispatchState,  eai:acl.owner, label, isRealTimeSearch, 
  performance.dispatch.stream.local.duration_secs, runDuration, 
  splunk_server, title
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...