hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
use |rest /services/search/jobs|search isRealTimeSearch=1
to see if that gets you what you need.
http://docs.splunk.com/Documentation/Splunk/4.3.6/RESTAPI/RESTsearch#GET_search.2Fjobs documentation to know what fields you might want
|rest /services/search/jobs|search isRealTimeSearch=1
works however it doesn't seem to work on expired jobs.
I have this running as an alert to let me know who is running rt searches, and how long for
| rest /services/search/jobs | search eventSorting=realtime | table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch, performance.dispatch.stream.local.duration_secs, runDuration, searchProviders, splunk_server, title
According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;
desc = descending;
none = not sorted
Would the actual setting to be used be isRealTimeSearch?
hey @ddrillic
try this
| rest /services/search/jobs | search eventSorting=realtime
I hope that helps you!
You can get cleaner results by adding a table.
|rest /services/search/jobs
| search eventSorting=realtime
| table label, author, dispatchState, eai:acl.owner, label, isRealTimeSearch,
performance.dispatch.stream.local.duration_secs, runDuration,
splunk_server, title