Splunk Search

How do I find a list of scheduled, saved searches in ES, specially the ones that run in real time?

SamHTexas
Communicator

How do I find a list of scheduled, saved searches in ES, specially the ones that run in real time? Can the Monitoring console be used for this purpose if yes, how please?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The MC doesn't have that information.  You can get it from the SH on which the search is scheduled.  Go to Settings->Searches, reports, and alerts or search for 

| rest /services/saved/searches | search is_scheduled=1
---
If this reply helps you, an upvote would be appreciated.
0 Karma

SamHTexas
Communicator

Thank u for your message. I am also getting red alerts for delayed searches. I searched on answers.splunk.com they all blame the high priority scheduled / saved searches. Your SPL did not find any in my environment. So How do I find the true cause of delayed searches from your point of view ( I know there are many factors incl. (CPU, RAM) etc. Please advise & Thanks again.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

As the risk of repeating myself, the cause of delayed searches is having to wait for other searches to complete.  Search priorities are, in descending order: real-time, ad-hoc, scheduled, accelerations.

The Extended Search Reporting dashboard I referenced earlier (https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml) presents information about your searches in various ways to help you identify problem spots.

Some focus points:

  1. Abandon real-time searches.  Really.  You don't need them.  Think you do?  Well, you don't.
  2. Get rid of searches you don't need.  That report no one reads?  Ditch it.
  3. Make searches as efficient as possible so they finish as soon as possible. This reduces the wait time for other searches to start.
  4. Set Schedule Window to "auto".
  5. Adjust the start times for the searches so fewer of them try to run at once.  There are 60 minutes in an hour - use them all.
---
If this reply helps you, an upvote would be appreciated.
0 Karma