Splunk Search

Including Search Run Time in Search Results

Engager

I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.

I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.

Tags (4)

Contributor

If these are saved/scheduled searches, you can run the below command :

index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count

The run_time column will give you the time take for the search to be completed.

0 Karma

SplunkTrust
SplunkTrust

I have the same question and can do this:

|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time

But I cant seem to schedule the search and get the |history command to work with scheduled searches.

0 Karma

Champion

I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo, put in in a token and then look for the runtime with a second search such as

index=_audit search_id=$sid$

I would be interested to see if there is another way to get this directly from the search though.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!