Solved: How can I list all the scheduled searches?

danielbb · ‎02-25-2020

We have some spikes for concurrent search jobs? therefore, how can I list all the scheduled searches for a given moment?

koshyk · ‎02-26-2020

Do you have "MOnitoring Console" configured? This one should show which search takes time in past xx minutes etc.

But if you want as a SPL query, please try

index=_audit sourcetype=audittrail savedsearch_name=* info="completed"
| timechart avg(total_run_time) by savedsearch_name

Please note, there will be 100's of saved-searches, so better if you put some kind of filter or list , so you can pinpoint which one runs slower etc. You can adjust the "Time range" to find which one was running at a given time slot. (You can change info=completed too to find all the stages)

View solution in original post

koshyk · ‎02-26-2020

Do you have "MOnitoring Console" configured? This one should show which search takes time in past xx minutes etc.

But if you want as a SPL query, please try

index=_audit sourcetype=audittrail savedsearch_name=* info="completed"
| timechart avg(total_run_time) by savedsearch_name

Please note, there will be 100's of saved-searches, so better if you put some kind of filter or list , so you can pinpoint which one runs slower etc. You can adjust the "Time range" to find which one was running at a given time slot. (You can change info=completed too to find all the stages)

How can I list all the scheduled searches?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio