I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.
I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.
If these are saved/scheduled searches, you can run the below command :
index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count
The run_time column will give you the time take for the search to be completed.
I have the same question and can do this:
|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time
But I cant seem to schedule the search and get the |history command to work with scheduled searches.
I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo
which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo
, put in in a token and then look for the runtime with a second search such as
index=_audit search_id=$sid$
I would be interested to see if there is another way to get this directly from the search though.