Splunk Search

How to crossreference the search ID to the search owner and search name ?

Splunk Employee
Splunk Employee

How to crossreference the search ID to the search owner and search name? Example if another person created a search and I ran it and I want to know base on the search id , who create it and what is the search name?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

this one worked
| rest /services/search/jobs | table author eai:acl.owner sid label eventSearch splunk_server searchProvider | where sid like "%%" and splunk_server like "%"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

this one worked
| rest /services/search/jobs | table author eai:acl.owner sid label eventSearch splunk_server searchProvider | where sid like "%%" and splunk_server like "%"

View solution in original post

0 Karma

Community Manager
Community Manager

Hi @cdo_splunk

I noticed you upvoted @jensonthottian's answer. If it solved your question, don't forget to accept the answer to resolve the post please. Thanks!

0 Karma

Contributor

Use the search below:

`dmc_set_index_introspection` host=--yoursearchead-- sourcetype=splunk_resource_usage data.search_props.sid::* data.search_props.mode!=RT | `dmc_rename_introspection_fields` | stats max(elapsed) as runtime max(mem_used) as mem_used earliest(_time) as _time by sid, type, mode, app, role, user | eval mem_used = round(mem_used, 2) | eval day = round(runtime / (3600*24) - 0.5) | eval hour = round((runtime % (3600*24)) / 3600 - 0.5) | eval minute = round((runtime % 3600) / 60 - 0.5) | eval second = round(runtime % 60, 2) | eval time = day."d ".hour."h ".minute."min ".second."s" | sort 10 - mem_used | fields - runtime, day, hour, minute, second | eval _time=strftime(_time,"%+") | rename sid as SID, type as Type, mode as Mode, app as App, role as Role, user as User, mem_used as "Memory Usage (MB)", _time as Started, time as Runtime

Splunk Employee
Splunk Employee

I tried the query and get the error Unknown search command 'dmc'.

0 Karma