Splunk Search
Highlighted

How can I identify real time searches?

Ultra Champion

We suspect that some of our users run real time searches. How can I produce a report which shows real time search activity in the past week, month or so?

Labels (1)
Tags (1)
0 Karma
Highlighted

Re: How can I identify real time searches?

SplunkTrust
SplunkTrust

hey @ddrillic

try this

| rest /services/search/jobs | search eventSorting=realtime

I hope that helps you!

View solution in original post

Highlighted

Re: How can I identify real time searches?

Ultra Champion

I have this running as an alert to let me know who is running rt searches, and how long for

| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState,  eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
Highlighted

Re: How can I identify real time searches?

According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;

desc = descending;

none = not sorted

Would the actual setting to be used be isRealTimeSearch?

0 Karma
Highlighted

Re: How can I identify real time searches?

Super Champion

use |rest /services/search/jobs|search isRealTimeSearch=1 to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want

Highlighted

Re: How can I identify real time searches?

Builder

|rest /services/search/jobs|search isRealTimeSearch=1 

works however it doesn't seem to work on expired jobs.

0 Karma