Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I identify real time searches?

ddrillic
Ultra Champion
‎01-09-2018 08:19 AM

We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:33 AM

hey @ddrillic

try this

| rest /services/search/jobs | search eventSorting=realtime

I hope that helps you!

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-09-2018 08:38 AM

use |rest /services/search/jobs|search isRealTimeSearch=1 to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want

Reply
Solved! Jump to solution

splunkreal
Motivator
‎07-30-2020 09:39 AM

|rest /services/search/jobs|search isRealTimeSearch=1 

works however it doesn't seem to work on expired jobs.

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-09-2018 08:38 AM

I have this running as an alert to let me know who is running rt searches, and how long for

| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState,  eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

adobrzeniecki
Path Finder
‎06-02-2020 05:53 AM

According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;

desc = descending;

none = not sorted

Would the actual setting to be used be isRealTimeSearch?

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:33 AM

hey @ddrillic

try this

| rest /services/search/jobs | search eventSorting=realtime

I hope that helps you!

Reply
Solved! Jump to solution

pnodine1
Engager
4 weeks ago

You can get cleaner results by adding a table.

|rest /services/search/jobs 
| search eventSorting=realtime 
| table label, author, dispatchState,  eai:acl.owner, label, isRealTimeSearch, 
  performance.dispatch.stream.local.duration_secs, runDuration, 
  splunk_server, title
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...