can anyone let me know how to find the total concurrent searches in splunk for example in the last few days etc and the details of the search
i was doing this
index=_internal source=*metrics.log group="search_concurrency" host=A | timechart span=1m sum(active_hist_searches) as concurrent_searches by host
but i cannot see the type of searches or the search string etc in it. is there a way to find it out
thanks for the reply, I cannot seem to see sourcetype="searches" though i can see the sourcetype="scheduler".
You could probably accomplish your goal, using Splunk internal information. The running jobs are normally tracked by Splunk as follows:
Saved Searches: index="_internal" sourcetype="scheduler" earliest=02/05/2011:12:20:00 latest=02/05/2011:12:25:00
Manual Searches: index="_internal" sourcetype="searches" earliest=02/05/2011:12:20:00 latest=02/05/2011:12:35:00