Splunk Search

How to view all of the real-time concurrent system-wide searches

New Member

Hello,

I am trying to view all of the real-time concurrent system-wide searches to see how many users have real-time searches running.

I increased the limit by 10 because we kept hitting the limit. Now we are hitting the maximum again.

Thank you

Tags (2)
0 Karma

Builder

Hi Craig -

Below search query might help you..Select Real-time from time range picker

index=_internal source=*metrics.log group=search_concurrency user=* | eval total = active_hist_searches + active_realtime_searches | timechart max(total) by user agg=max useother=f limit=20 
0 Karma

Motivator

If your are using splunk 6.2, just look your Management Console: settings->Distributed Management Console.
Note that only admins can access. Once you are there, take a look at the CONCURRENT SEARCHES. Click on the number of searches displayed, to get the snapshots of all the concurrent system searches.

Thanks.

Community Manager
Community Manager

Hi @craigmueller

I was looking around at other posts and a couple of them suggested using the Splunk on Splunk (S.o.S) app https://apps.splunk.com/app/748/

0 Karma

Motivator

I second what @ppablo_splunk mentioned. Splunk on Splunk will give the count/search performance /mode/role etc. Install Splunk on Splunk and from the Search menu, select search Activiy. Here's a sample search that's telling me the maximum search concurrency and utilization

set_sos_index sourcetype=ps host="Aryahi-PC"

| multikv
| get_splunk_process_type
| search type="searches"
| get_search_props
| bin _time span=ps_sos_periods
| search mode = real-time
| stats dc(sid) as search_count by _time user
| timechart bucketize_ps_sos max(search_count) AS "Concurrent search count" by user

Hope this helps!
Thanks,
Raghav