How to create an alert or a report to track the nu...

Abass42 · ‎08-02-2023

I am trying to create an alert or a report to track the number of deferred searches. We had an issue where the cluster captain deferred a massive amount of searches, and it messed up a few things. We are trying to create an alert to maybe mitigate that in the future. In addition to asking the best way to create a alert for this, id also like some more clarification on how to find the deferred searches.

Through the monitoring console, either through the DMC or the Cluster Master, I thought i had seen a panel for deferred searches, but i can not find one now. And when i run the search

index=_internal earliest=-24h "status=skipped"  sourcetype=scheduler 
| stats  count by host app | sort - count

I get results, but if i change status to deferred, which i assume is a status, I do not get anything.

I was suggested to run

| rest /services/search/jobs 
| search status=deferred 
| table id, search, app, owner, earliest_time, latest_time, status, sid

but I do not get any status. Status is not a field.

The main question I have is How do I access the number of deferred searches? If i can find that, I can run stats count on it.

Thank you.

isoutamo · ‎08-02-2023

Hi

if I recall right you should find that information from MC under Search menu. There is scheduler and then you see different options under deployment and instance. The information what you are looking should be there.
r. Ismo

How to create an alert or a report to track the number of deferred searches?

search job inspector

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!