Splunk Search

How to edit my search to find real-time scheduled searches?

Path Finder

Below is the search i am using to find the real time schedule searches .. but i would like to know which user is running, name of the search, and if possible, when those searches were launched?

index=_internal source=*scheduler.log run_time=* search_type!="scheduled" | stats count by search_type
0 Karma

Super Champion

try this (though you may need/want to do some editing/formating on the savedsearch_name and sheduled_time fields):

index=_internal source=*scheduler.log run_time=* search_type!="scheduled" | stats count by search_type user savedsearch_name scheduled_time
0 Karma

Path Finder

can i please know what the user name " nobody" means ? because real time searches will impact the performance of indexers.

0 Karma

Esteemed Legend

Nobody means EITHER the KO was installed by adding an app OR that the owner who created it has been deleted from splunk.

0 Karma

Super Champion
0 Karma