Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is the information in the search job inspector stored in Splunk internally so I can query this data and set up dashboards?

feickertmd
Communicator
‎01-22-2015 10:27 AM

I have been tasked to find a way to report on the overall query load to our Splunk system by customers that we have using it. The information I need shows up in the job inspector. Is that information stored in the _internal index anywhere, or is there another data source which I can query to set up dashboards for this purpose?

Tags (2)
Reply

emiller42
Motivator
‎06-02-2015 09:07 AM

What information are you looking for out of the Inspector? That information is actually coming from the search artifact in the dispatch directory, and goes away when the search expires.

However, you also get metrics in the _introspection index. (index=_introspection sourcetype=splunk_resource_usage component=PerProcess) and there are built-in dashboards that might be helpful. (Activity > System Activity, or Settings > Distributed Management Console)

The Splunk on Splunk app also gives insight into search metrics, although there is overlap between it and the built-in dashboards mentioned above.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-29-2015 05:19 AM

It might be here:

| rest /services/search/jobs
Reply

sfmandmdev
Path Finder
‎05-29-2015 05:57 AM

Is this data logged? Is there a config param that can be enabled to write this info to logs?
Would be nice to analyze when looking at long running / expensive searches.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-29-2015 12:51 PM

This data is not logged in this level of detail anywhere but you can save it yourself in a csv/lookup or in a summary index.

Reply

landen99
Motivator
‎09-29-2015 11:00 AM

Anything can be sent to a summary index with a scheduled search.

0 Karma
Reply

sfmandmdev
Path Finder
‎05-29-2015 01:41 AM

Is there an answer for this?

0 Karma
Reply

Anonymous
Not applicable
‎02-01-2021 11:52 PM

Hi

 

I know it`s a bit late for this answer. But in my defence I was too looking for the same thing.
And ended up on this post.

The inspector does not go trough the search pipeline because then it would impact the result of the search. 

The Inspector does a lot of checks and balance and it could interfere the search outcome if it was too in the search pipeline. 

Maybe in the future there would be a export to csv on the website. 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

It’s go time — Boston, here we come!

Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top