Solved: How search how many concurrent searches (adhoc, re...

melonman · ‎11-24-2015

Hi

Can anyone help me create a search in audittrail index to get the min/avg/max number of concurrent searches in a Splunk environment?
I would like to know how many searches are running concurrently in my environment, and use this info as capacity planning.

Thanks,

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

View solution in original post

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

landen99 · ‎08-18-2017

I downvoted this post because "sum(active_hist_searches)" doesn't have any real meaning. if i reported a million times in an hour that there was 1 active search, you would see 1 million searches as "total".

melonman · ‎12-02-2015

Should aggregation be "sum(active_hist_searches)" or "avg(active_hist_searches)" OR maybe max() ??

How search how many concurrent searches (adhoc, report, summary, etc) are running at the same time in my environment?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!