Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to crossreference the search ID to the search owner and search name ?

cdo_splunk
Splunk Employee
Splunk Employee
‎09-01-2015 11:29 AM

How to crossreference the search ID to the search owner and search name? Example if another person created a search and I ran it and I want to know base on the search id , who create it and what is the search name?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

cdo_splunk
Splunk Employee
Splunk Employee
‎09-18-2015 11:25 AM

this one worked
| rest /services/search/jobs | table author eai:acl.owner sid label eventSearch splunk_server searchProvider | where sid like "%%" and splunk_server like "%"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cdo_splunk
Splunk Employee
Splunk Employee
‎09-18-2015 11:25 AM

this one worked
| rest /services/search/jobs | table author eai:acl.owner sid label eventSearch splunk_server searchProvider | where sid like "%%" and splunk_server like "%"

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎09-01-2015 06:01 PM

Hi @cdo_splunk

I noticed you upvoted @jensonthottian's answer. If it solved your question, don't forget to accept the answer to resolve the post please. Thanks!

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎09-01-2015 11:36 AM

Use the search below:

`dmc_set_index_introspection` host=--yoursearchead-- sourcetype=splunk_resource_usage data.search_props.sid::* data.search_props.mode!=RT | `dmc_rename_introspection_fields` | stats max(elapsed) as runtime max(mem_used) as mem_used earliest(_time) as _time by sid, type, mode, app, role, user | eval mem_used = round(mem_used, 2) | eval day = round(runtime / (3600*24) - 0.5) | eval hour = round((runtime % (3600*24)) / 3600 - 0.5) | eval minute = round((runtime % 3600) / 60 - 0.5) | eval second = round(runtime % 60, 2) | eval time = day."d ".hour."h ".minute."min ".second."s" | sort 10 - mem_used | fields - runtime, day, hour, minute, second | eval _time=strftime(_time,"%+") | rename sid as SID, type as Type, mode as Mode, app as App, role as Role, user as User, mem_used as "Memory Usage (MB)", _time as Started, time as Runtime
Reply
Solved! Jump to solution

cdo_splunk
Splunk Employee
Splunk Employee
‎09-03-2015 10:50 AM

I tried the query and get the error Unknown search command 'dmc'.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...