Solved: Search that shows scheduled time of saved searches

brdr · ‎04-26-2019

Hello,

We have a few thousand savedsearches. Most of times that they are scheduled is at the top of the hour and its affecting performance across the enterprise. Is there a search i can run that shows me the name of the saved search, the next time it is scheduled and the owner? This way i can direct the owner to use cron schedule and use an off hour time to mitigate our performance issue.

Thank you

somesoni2 · ‎04-26-2019

Give this a try. This uses cron-schedule of the search to identity if it's running every 1/5/10/15/20/30/60 min on the hours.

| rest /servicesNS/-/-/saved/searches splunk_server=local |where disabled=0 AND is_scheduled=1 | rex field=cron_schedule "(?<Min>\S+)\s+(?<Hr>\S+)\s+(?<Day>\S+)\s+(?<Mon>\S+)\s+(?<Wday>\S+)" | table author eai:acl.app  title disabled is_scheduled  cron_schedule Min Hr Day Mon Wday search | rename eai:acl.app as appName title as searchName
| eval searchType=case(cron_schedule="* * * * *", "Running Every Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/5"), "Running Every 5 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/10"), "Running Every 10 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/15"), "Running Every 15 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/20"), "Running Every 20 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "Running Every 30 Minute", 
       (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "On the hour", 
         match(cron_schedule,"^(\d+,\d+)+ \* \* \* \*$"), "Running Multiple times every hour", 
         match(cron_schedule,"^\d+ \* \* \* \*$"), "Running Every Hour", 
         match(cron_schedule,"^\d+ \d+ \* \* \*$"), "Running Daily",true(),"Other")

View solution in original post

somesoni2 · ‎04-26-2019

Give this a try. This uses cron-schedule of the search to identity if it's running every 1/5/10/15/20/30/60 min on the hours.

| rest /servicesNS/-/-/saved/searches splunk_server=local |where disabled=0 AND is_scheduled=1 | rex field=cron_schedule "(?<Min>\S+)\s+(?<Hr>\S+)\s+(?<Day>\S+)\s+(?<Mon>\S+)\s+(?<Wday>\S+)" | table author eai:acl.app  title disabled is_scheduled  cron_schedule Min Hr Day Mon Wday search | rename eai:acl.app as appName title as searchName
| eval searchType=case(cron_schedule="* * * * *", "Running Every Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/5"), "Running Every 5 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/10"), "Running Every 10 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/15"), "Running Every 15 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/20"), "Running Every 20 Minute", 
        (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "Running Every 30 Minute", 
       (Hr="*" AND Day="*" AND Mon="*" AND Wday="*" ) AND (Min="*/30"), "On the hour", 
         match(cron_schedule,"^(\d+,\d+)+ \* \* \* \*$"), "Running Multiple times every hour", 
         match(cron_schedule,"^\d+ \* \* \* \*$"), "Running Every Hour", 
         match(cron_schedule,"^\d+ \d+ \* \* \*$"), "Running Daily",true(),"Other")

brdr · ‎04-26-2019

Awesome. Thank you somesoni2!

dillardo_2 · ‎08-13-2019

Thanks for the assist!

Search that shows scheduled time of saved searches

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life