Splunk Search

Splunk Searches

whitecat001
Explorer

Pls what is the rest endpoint for searches that users are running 

0 Karma

deepakc
Builder

For running jobs - try this from the GUI - see the link for curl base CLI command

| rest splunk_server=local /services/search/jobs 
| fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage 
| rename author AS user eai:acl.app AS app title AS search_code 
| eval diskUsage_MB = round(diskUsage/1024/1024,2) 
| table user search_code, updated, search, runDuration, provenance, latestTime, owner, app diskUsage_MB

Here's the Rest API and others

https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTsearch#search.2Fjobs 

 

0 Karma

whitecat001
Explorer

Thanks for the response can i get a query that helps to show how much searches are been ran per indexes volume

0 Karma

deepakc
Builder

Maybe this is what you need. Note, as far as I know there are no fields that show the index used by a search,  that show the index used by searches, so you have to extract that from the SPL code,  and index= can be all over the place in the code and also in macros,  so its tricky, but may be this will work for you.

This shows the count of searches by index_used

| rest splunk_server=local /services/search/jobs 
| fields author title, updated, search, runDuration, provenance, latestTime, owner eai:acl.app, diskUsage 
| rename author AS user eai:acl.app AS app title AS search_code 
| rex field=search_code "(?<index_used>index\s*=\s*[^ ]+|index\s+IN|search\s*=\s*index=|search\s*=\s*inputlookup\s+in|index\s*=_\*)" 
| stats count(search_code) AS volume_of_searches_ran BY index_used
| sort - volume_of_searches_ran


 

 


0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...