Splunk Search

How do I find a list of scheduled, saved searches in ES, specially the ones that run in real time?

SamHTexas
Builder

How do I find a list of scheduled, saved searches in ES, specially the ones that run in real time? Can the Monitoring console be used for this purpose if yes, how please?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The MC doesn't have that information.  You can get it from the SH on which the search is scheduled.  Go to Settings->Searches, reports, and alerts or search for 

| rest /services/saved/searches | search is_scheduled=1
---
If this reply helps you, Karma would be appreciated.
0 Karma

SamHTexas
Builder

Thank u for your message. I am also getting red alerts for delayed searches. I searched on answers.splunk.com they all blame the high priority scheduled / saved searches. Your SPL did not find any in my environment. So How do I find the true cause of delayed searches from your point of view ( I know there are many factors incl. (CPU, RAM) etc. Please advise & Thanks again.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

As the risk of repeating myself, the cause of delayed searches is having to wait for other searches to complete.  Search priorities are, in descending order: real-time, ad-hoc, scheduled, accelerations.

The Extended Search Reporting dashboard I referenced earlier (https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml) presents information about your searches in various ways to help you identify problem spots.

Some focus points:

  1. Abandon real-time searches.  Really.  You don't need them.  Think you do?  Well, you don't.
  2. Get rid of searches you don't need.  That report no one reads?  Ditch it.
  3. Make searches as efficient as possible so they finish as soon as possible. This reduces the wait time for other searches to start.
  4. Set Schedule Window to "auto".
  5. Adjust the start times for the searches so fewer of them try to run at once.  There are 60 minutes in an hour - use them all.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...