Hi All... As i am trying to find out the the long running search queries using this rest search, its working fine, but, its having a field "runDuration", as per the doc:
runDuration Time in seconds that the search took to complete.
https://docs.splunk.com/Documentation/Splunk/8.1.1/RESTREF/RESTsearch#search.2Fjobs
but, it seems the runDuration values are totally wrong (the 1st value 22456767.32 is close to 259days)
| rest /services/search/jobs splunk_server=* | table runDuration
(sorted as per runDuration)
runDuration
22456767.32
4493630.885
4364271.151000001
4156740.1780000003
4156682.699
4155523.87
4154739.233
4154733.224
4154682.228
4154629.832
ours is a indexer clustered, SH clustered, environment. i run this query at the monitoring console.
1. is the runDuration from the rest job is inaccurate/wrong?
2. apart from rest query, is there any other ways to find out the search run time please?
i used -
index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=*
| table search total_run_time user result_count is_realtime host
this looks like perfect one, but, its not having the user's timepicker info(what value the user used for earliest and latest times).. please suggest, thanks.
The last query is a good one to use for run times. To get earliest and latest times, I use this:
| rest splunk_server=local /servicesNS/-/-/saved/searches
| table title dispatch.earliest_time dispatch.latest_time
Hi @scelikok @gcusello @to4kawa @bowesmana @ITWhisperer ...any suggestions please..