Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

identify which user is doing longest searches

amirarsalan
Explorer
‎07-10-2019 06:37 AM

Hi Everyone!

I need some help to identify which user are running longest/bad searches. Sometimes splunk goes very slow and it indicate that someone running searches/jobs that is not god and I want to identify who it is and see the search string for that user.

Someone that can help me with a query

Tags (1)
0 Karma
Reply

asneed_eu
Path Finder
‎07-10-2019 07:06 AM

The _audit index should have this information.

This would show a list of searches sorted by execution time by user:

index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | table search total_run_time user | sort - total_run_time

You could also look at which users have the longest running searches on average:

index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | stats avg(total_run_time) by user
Reply

amirarsalan
Explorer
‎07-11-2019 12:18 AM

Hi @asneed_eu

Thanks for your replay. It seems to works but i can only see my username. Can't see other users.

0 Karma
Reply

amirarsalan
Explorer
‎07-11-2019 02:44 AM

Beside that I can't see the total_run_time and on the search field it's only "*"

0 Karma
Reply

adonio
Ultra Champion
‎07-10-2019 07:05 AM

its out of the box with the MC (DMC)
search -> activity -> Search Usage Statistics: Deployment

0 Karma
Reply

amirarsalan
Explorer
‎07-11-2019 01:11 AM

Hi @adonio

Is this in splunk-master? If it is then i can only see users that have access to splunk-master, and that is only 3 persons.

0 Karma
Reply

adonio
Ultra Champion
‎07-11-2019 05:36 AM

not the Cluster Master, its called Splunk Monitoring Console.
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/DMCoverview
https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/Searchusagestatistics

0 Karma
Reply

amirarsalan
Explorer
‎07-11-2019 05:55 AM

I can only see "Add Data" there is no Splunk Monitoring Console. I can only found it in master.
And i'm a admin user

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...