Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring Console (MC) search activity is not recognizing saved search (scheduled search)

brandy81
Path Finder
‎07-20-2021 06:47 AM

Hi All,

At Monitoring Console (MC) --> Search Activity : Instance, there is "top 20 Memory-consuming searches", which is searching from index=_introspection.

As I run the search, it is not recognizing saved search (scheduled search).  Why doesn't the search starting index=_introspection recognize saved search (scheduled search)? It seems not it returns results from all searches.

How do I get to know memory consumption of all searches including saved search(scheduled search)? Do I have to join index=_introspection and index=_audit?

 

 

 

Labels (2)
0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎07-23-2021 12:51 PM

The DMC does indeed report on saved/scheduled searches. If you are not seeing them you might want to verify that all your instances are forwarding their _introspection logs and/or if they are properly configured for monitoring by the DMC.

See the following for more:
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/SearchactivityDeploymentwide
https://docs.splunk.com/Documentation/Splunk/8.2.1/DMC/DMCprerequisites

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!