Splunk Search

List of realtime searches showing deleted reports/alerts

shazbot79
Path Finder

Hi, I have the following SPL as a dashboard panel which shows realtime searches. This is so I can contact the owners and discuss them converting to a scheduled report instead:

| rest /services/search/jobs | search eventSorting=realtime
| eval author=upper(author)
| lookup snow_sys_user_list.csv user_name as author
| table author label eventSearch dv_name dispatchState, eai:acl.owner, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server

However, the panel is still showing reports that have been converted to scheduled reports/alerts or deleted entirely. Is there some SPL I have to add to get it to only see "active" real-time searches?

Thanks

 

 

 

0 Karma

jwalthour
Communicator

how about adding …

| search dispatchState != “DONE”

0 Karma

shazbot79
Path Finder

they all have a dispatchState of RUNNING, including the ones that have been amended/deleted....

0 Karma

jwalthour
Communicator

Then, are you sure you’ve stopped the jobs?

0 Karma

shazbot79
Path Finder

Ah....so even if the user deletes their report the job keeps running? 

0 Karma

shazbot79
Path Finder

I have the time picker set to last 24 hours but if I change to last 5 minutes the problem persists.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...