Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- List or View Scheduled searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can view all the scheduled search using
| rest /services/saved/searches | where is_scheduled=1
To get a history of scheduled search , check the internal logs
index=_internal sourcetype=scheduler | table _time user savedsearch_name status scheduled_time run_time result_count
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone got any ideas for this issue?!?!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can view all the scheduled search using
| rest /services/saved/searches | where is_scheduled=1
To get a history of scheduled search , check the internal logs
index=_internal sourcetype=scheduler | table _time user savedsearch_name status scheduled_time run_time result_count
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As always, Splunk continues to improve and with the improvements, I would suggest a different search:
| rest /services/saved/searches search="is_scheduled=1"
What's the different between this and using rest with where?
In typically Splunk fashion, the earlier you do filtering, the more efficient the search should be. This should push the filtering down to the search peers which means they (potentially) return fewer results to the search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While early filtering is a good rule of thumb, in this instance remember the "where" command is categorized as a Distributable Streaming search process, so this would also be done at the index level and more importantly can be done BEFORE the final output, so it does not necessarily generate more traffic as Splunk will send it down as well knowing this fact about the "where" command.
But, like I said, and learned from a great teacher I had, that is generally a good rule of thumb to follow 😉
Also, the above about Distributable Streaming goes for: eval, fields, rex, where, etc.
For the curious, here's a great read to understand how searching works wrt different commands:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Typesofcommands
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
