Hi, I have the following SPL as a dashboard panel which shows realtime searches. This is so I can contact the owners and discuss them converting to a scheduled report instead:
| rest /services/search/jobs | search eventSorting=realtime
| eval author=upper(author)
| lookup snow_sys_user_list.csv user_name as author
| table author label eventSearch dv_name dispatchState, eai:acl.owner, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server
However, the panel is still showing reports that have been converted to scheduled reports/alerts or deleted entirely. Is there some SPL I have to add to get it to only see "active" real-time searches?
Thanks
