Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Including Search Run Time in Search Results

eepperman
Engager
‎05-12-2015 08:38 AM

I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.

I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.

Tags (4)
Reply

vr2312
Contributor
‎04-19-2017 06:15 AM

If these are saved/scheduled searches, you can run the below command :

index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count

The run_time column will give you the time take for the search to be completed.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-23-2016 09:31 AM

I have the same question and can do this:

|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time

But I cant seem to schedule the search and get the |history command to work with scheduled searches.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-12-2015 11:09 PM

I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo, put in in a token and then look for the runtime with a second search such as

index=_audit search_id=$sid$

I would be interested to see if there is another way to get this directly from the search though.

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...