Splunk Search

How can I list all the scheduled searches?

danielbb
Motivator

We have some spikes for concurrent search jobs? therefore, how can I list all the scheduled searches for a given moment?

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

Do you have "MOnitoring Console" configured? This one should show which search takes time in past xx minutes etc.

But if you want as a SPL query, please try

index=_audit sourcetype=audittrail savedsearch_name=* info="completed"
| timechart avg(total_run_time) by savedsearch_name

Please note, there will be 100's of saved-searches, so better if you put some kind of filter or list , so you can pinpoint which one runs slower etc. You can adjust the "Time range" to find which one was running at a given time slot. (You can change info=completed too to find all the stages)

View solution in original post

koshyk
Super Champion

Do you have "MOnitoring Console" configured? This one should show which search takes time in past xx minutes etc.

But if you want as a SPL query, please try

index=_audit sourcetype=audittrail savedsearch_name=* info="completed"
| timechart avg(total_run_time) by savedsearch_name

Please note, there will be 100's of saved-searches, so better if you put some kind of filter or list , so you can pinpoint which one runs slower etc. You can adjust the "Time range" to find which one was running at a given time slot. (You can change info=completed too to find all the stages)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...