Monitoring Console (MC) search activity is not rec...

brandy81 · ‎07-20-2021

Hi All,

At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection.

As I run the search, it is not recognizing saved search (scheduled search). Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches.

How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?

codebuilder · ‎07-23-2021

The DMC does indeed report on saved/scheduled searches. If you are not seeing them you might want to verify that all your instances are forwarding their _introspection logs and/or if they are properly configured for monitoring by the DMC.

See the following for more:
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/SearchactivityDeploymentwide
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/DMCprerequisites

----
An upvote would be appreciated and Accept Solution if it helps!

Monitoring Console (MC) search activity is not recognizing saved search (scheduled search)

monitoring console

search performance

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices

Are you a member of the Splunk Community?