Splunk Search

How to edit my search to find real-time scheduled searches?

kteng2024
Path Finder

Below is the search i am using to find the real time schedule searches .. but i would like to know which user is running, name of the search, and if possible, when those searches were launched?

index=_internal source=*scheduler.log run_time=* search_type!="scheduled" | stats count by search_type
0 Karma

cmerriman
Super Champion

try this (though you may need/want to do some editing/formating on the savedsearch_name and sheduled_time fields):

index=_internal source=*scheduler.log run_time=* search_type!="scheduled" | stats count by search_type user savedsearch_name scheduled_time
0 Karma

kteng2024
Path Finder

can i please know what the user name " nobody" means ? because real time searches will impact the performance of indexers.

0 Karma

woodcock
Esteemed Legend

Nobody means EITHER the KO was installed by adding an app OR that the owner who created it has been deleted from splunk.

0 Karma

cmerriman
Super Champion
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...