Splunk Search

Including Search Run Time in Search Results

eepperman
Engager

I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.

I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.

Tags (4)

vr2312
Contributor

If these are saved/scheduled searches, you can run the below command :

index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count

The run_time column will give you the time take for the search to be completed.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I have the same question and can do this:

|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time

But I cant seem to schedule the search and get the |history command to work with scheduled searches.

0 Karma

jeffland
Champion

I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo, put in in a token and then look for the runtime with a second search such as

index=_audit search_id=$sid$

I would be interested to see if there is another way to get this directly from the search though.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!