The SOS app has some interesting dashboards on it too.

Or I use thinks like

index=_audit total_run_time | convert num(total_run_time) | eval event_per_sec=scan_count/total_run_time | stats count median(event_per_sec) AS median avg(event_per_sec) AS avg perc95(event_per_sec) AS perc95 max(total_run_time) AS maxruntime max(scan_count) AS scancount by search_id


Thanks. This helps:

index=_audit earliest=-5m savedsearch_name=* | eval searchStartTime=strptime(apiStartTime, "'%a %B %d %H:%M:%S %Y'") | eval searchEndTime=strptime(apiEndTime, "'%a %B %d %H:%M:%S %Y'") | eval searchExecuteTime=_time | eval deltaFromEnd=searchExecuteTime - searchStartTime | timechart span=1m max(deltaFromEnd) min(deltaFromEnd) avg(deltaFromEnd)

Splunk 5 is slick, you'll be glad you upgraded when you do.

FYI : the SoS app is also available for prior Splunk versions.Very nice for diagnosing search performance.

Splunk 5 does not seem to have enough documentation yet. We (my company) might wait to upgrade until it is more readily available.

The Splunk on Splunk(SoS) app is your friend 🙂

We are not running 5.0.

I am looking more in general. I would like to baseline a search and then also baseline all searches so that we can determine if we are having Splunk performance issues.

So if I come up with a general search (like "index=* earliest=-15s") then determine how long it took to run.

Also do this for all searches so look at the average, median, and max time is takes to do all searches and see if searches are running normal, faster, or slower than something like yesterday or the same time last week.

Thanks.