Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I identify real time searches?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
01-09-2018
08:19 AM
We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-09-2018
08:33 AM
hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
01-09-2018
08:38 AM
use |rest /services/search/jobs|search isRealTimeSearch=1 to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkreal
Motivator
07-30-2020
09:39 AM
|rest /services/search/jobs|search isRealTimeSearch=1
works however it doesn't seem to work on expired jobs.
* If this helps, please upvote or accept solution if it solved *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dallastek1
Path Finder
11-07-2024
10:19 AM
try this:
index=_audit action=search is_realtime=1
| eval search_type=case(
search_id LIKE "scheduler%", "Scheduled Search",
search_id LIKE "rt_scheduler%", "Real-Time Scheduled Search",
search_id LIKE "dashboard%", "Dashboard",
search_id LIKE "adhoc%", "Ad-hoc Search",
1=1, "Ad-hoc Search"
)
| eval human_readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count by user, search_type, _time
| rename human_readable_time AS "Time", user AS "User", search_type AS "Search Type", count AS "Search Count"
| sort - "Time"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
01-09-2018
08:38 AM
I have this running as an alert to let me know who is running rt searches, and how long for
| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adobrzeniecki
Path Finder
06-02-2020
05:53 AM
According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;
desc = descending;
none = not sorted
Would the actual setting to be used be isRealTimeSearch?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-09-2018
08:33 AM
hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pnodine1
Engager
03-27-2024
08:26 AM
You can get cleaner results by adding a table.
|rest /services/search/jobs
| search eventSorting=realtime
| table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch,
performance.dispatch.stream.local.duration_secs, runDuration,
splunk_server, title
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
