Solved: How search how many concurrent searches (adhoc, re...

melonman · ‎11-24-2015

Hi

Can anyone help me create a search in audittrail index to get the min/avg/max number of concurrent searches in a Splunk environment?
I would like to know how many searches are running concurrently in my environment, and use this info as capacity planning.

Thanks,

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

View solution in original post

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

landen99 · ‎08-18-2017

I downvoted this post because "sum(active_hist_searches)" doesn't have any real meaning. if i reported a million times in an hour that there was 1 active search, you would see 1 million searches as "total".

melonman · ‎12-02-2015

Should aggregation be "sum(active_hist_searches)" or "avg(active_hist_searches)" OR maybe max() ??

How search how many concurrent searches (adhoc, report, summary, etc) are running at the same time in my environment?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!