Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Including Search Run Time in Search Results

eepperman
Engager
‎05-12-2015 08:38 AM

I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.

I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.

Tags (4)
Reply

vr2312
Builder
‎04-19-2017 06:15 AM

If these are saved/scheduled searches, you can run the below command :

index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count

The run_time column will give you the time take for the search to be completed.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-23-2016 09:31 AM

I have the same question and can do this:

|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time

But I cant seem to schedule the search and get the |history command to work with scheduled searches.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-12-2015 11:09 PM

I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo, put in in a token and then look for the runtime with a second search such as

index=_audit search_id=$sid$

I would be interested to see if there is another way to get this directly from the search though.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...