Hi Craig -
Below search query might help you..Select Real-time from time range picker
index=_internal source=*metrics.log group=search_concurrency user=* | eval total = active_hist_searches + active_realtime_searches | timechart max(total) by user agg=max useother=f limit=20
If your are using splunk 6.2, just look your Management Console: settings->Distributed Management Console.
Note that only admins can access. Once you are there, take a look at the CONCURRENT SEARCHES. Click on the number of searches displayed, to get the snapshots of all the concurrent system searches.
Thanks.
Hi @craigmueller
I was looking around at other posts and a couple of them suggested using the Splunk on Splunk (S.o.S) app https://apps.splunk.com/app/748/
I second what @ppablo_splunk mentioned. Splunk on Splunk will give the count/search performance /mode/role etc. Install Splunk on Splunk and from the Search menu, select search Activiy. Here's a sample search that's telling me the maximum search concurrency and utilization
set_sos_index
sourcetype=ps host="Aryahi-PC"
| multikv
| get_splunk_process_type
| search type="searches"
| get_search_props
| bin _time span=ps_sos_period
s
| search mode = real-time
| stats dc(sid) as search_count by _time user
| timechart bucketize_ps_sos
max(search_count) AS "Concurrent search count" by user
Hope this helps!
Thanks,
Raghav