Splunk Search

Including Search Run Time in Search Results

eepperman
Engager

I'd like to be able to include the search run time in the search results. If we have two different searches and we are attempting to evaluate the efficiency of the search, we'd like to be able to view the run time of each of the searches during the evaluation process.

I know this can be done by running them singularly and then "Inspect Job"; however, I'd like to be able to view it as an output of the search.

Tags (4)

vr2312
Contributor

If these are saved/scheduled searches, you can run the below command :

index=_internal sourcetype=scheduler| table _time host user savedsearch_name status scheduled_time run_time result_count

The run_time column will give you the time take for the search to be completed.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I have the same question and can do this:

|history | search status=completed search=*UniqueStringInSearch* search!=*history* | table _time result_count scan_count total_run_time

But I cant seem to schedule the search and get the |history command to work with scheduled searches.

0 Karma

jeffland
SplunkTrust
SplunkTrust

I don't know if a search can deliver this information directly, the only thing I know that is close to what you are looking for is addinfo which only adds the timeframe used, the sid and the time of execution. But every search you run is logged in the _audit index, so you could search there to evaluate your searches. This index keeps the runtime of your searches, which user started it, how many results it had, the search id and much more. You could pretty easily get the sid from your initial search with addinfo, put in in a token and then look for the runtime with a second search such as

index=_audit search_id=$sid$

I would be interested to see if there is another way to get this directly from the search though.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...