Re: rest jobs runDuration inaccurate values

inventsekar · ‎02-02-2021

Hi All... As i am trying to find out the the long running search queries using this rest search, its working fine, but, its having a field "runDuration", as per the doc:

runDuration Time in seconds that the search took to complete.
https://docs.splunk.com/Documentation/Splunk/8.1.1/RESTREF/RESTsearch#search.2Fjobs

but, it seems the runDuration values are totally wrong (the 1st value 22456767.32 is close to 259days)

| rest /services/search/jobs splunk_server=* | table runDuration

(sorted as per runDuration)

runDuration
22456767.32
4493630.885
4364271.151000001
4156740.1780000003
4156682.699
4155523.87
4154739.233
4154733.224
4154682.228
4154629.832

ours is a indexer clustered, SH clustered, environment. i run this query at the monitoring console.

1. is the runDuration from the rest job is inaccurate/wrong?

2. apart from rest query, is there any other ways to find out the search run time please?

i used -

index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=*
| table search total_run_time user result_count is_realtime host

this looks like perfect one, but, its not having the user's timepicker info(what value the user used for earliest and latest times).. please suggest, thanks.

richgalloway · ‎02-03-2021

The last query is a good one to use for run times. To get earliest and latest times, I use this:

| rest splunk_server=local /servicesNS/-/-/saved/searches
| table title dispatch.earliest_time dispatch.latest_time

---
If this reply helps you, Karma would be appreciated.

inventsekar · ‎02-02-2021

Hi @scelikok @gcusello @to4kawa @bowesmana @ITWhisperer ...any suggestions please..

rest jobs runDuration inaccurate values

search job inspector

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!