Splunk Search

How to retrieve search name by search id

danielwan
Explorer

my splunk server has high CPU usage and I saw a bunch of splunkd process like below

search --id=admin_adminsearch_search9_xxxxx.yyyyy --maxbuckets=0 --ttl=600 --maxout=500000 --maxtime=8640000 --lookups=1 --reduce_freq=10 --user=admin --pro --roles=admin:can_delete:power:user

These searches seem to run periodically.

How could I look up scheduled/ad-hoc searches name by these search_ids, and furthermore, to retrieve the search query content?

1 Solution

niketn
Legend

@danielwan, you can use Splunk REST API to pull the search details along with Query, earliest and latest time and other details (you can also view search results). If you want to reuse/rerun the search you can use request.search, searchEarliestTime, searchLatestTime :

| rest /services/search/jobs/admin_adminsearch_search9_xxxxx.yyyyy
| table sid title eai:acl.app eai:acl.owner request.search searchEarliestTime searchLatestTime custom.dispatch.earliest_time custom.dispatch.latest_time

Please try and confirm. Following is the link to Splunk Documentation for Splunk REST API reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

efavreau
Motivator

There's already an accepted answer. However, if that's not working for you, and you have the sid, then you can use index=_audit to get to the search. Note the search field has items that you probably don't want, so there's a couple rex commands to boil it down to only the SPL.

index=_audit search=* action=search search_id=*admin_adminsearch_search9_xxxxx.yyyyy* 
| rex "search='search (?<search>[^\e]+)" 
| rex mode=sed field=search "s/', autojoin=[^\e]+//g"

If this helps anyone, please upvote the answer!

###

If this reply helps you, an upvote would be appreciated.

niketn
Legend

@danielwan, you can use Splunk REST API to pull the search details along with Query, earliest and latest time and other details (you can also view search results). If you want to reuse/rerun the search you can use request.search, searchEarliestTime, searchLatestTime :

| rest /services/search/jobs/admin_adminsearch_search9_xxxxx.yyyyy
| table sid title eai:acl.app eai:acl.owner request.search searchEarliestTime searchLatestTime custom.dispatch.earliest_time custom.dispatch.latest_time

Please try and confirm. Following is the link to Splunk Documentation for Splunk REST API reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tlam_splunk
Splunk Employee
Splunk Employee

You could use the search id to find the corresponding search folder in the $SPLUNK_HOME/var/run/splunk/dispatch. Inside the search folder, you could find the search content for that particular search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...