Alerting

How to know if scheduled searches are used in some dashboards or for alerting?

muizash
Path Finder

Actually, some scheduled searches are taking lot of CPU usage, I want to know if they are used in dashboards or used for the purpose of alerting, so that if they are used for dashboards, i could decrease the frequency of those searches.
Thanks

0 Karma

woodcock
Esteemed Legend

Check if the scheduled searches have any of these features:

SPL commands `sendemail` OR `outputlookup` (and possibly others like service now ones that start with `snow*`, depending on what apps you have installed and what custom commands they create and what those commands do)
Alert actions of any kind.
Referenced inside of other SPL (dahsboards, panels, reports, or saved searches) through `| loadjob` or `| savedsearch`.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi muizash,
usually scheduled searches aren't used in dashboards but only in alerts and to populate lookups or summaries or reports to use in dashboards.
To understand if you can modify frequency of your scheduled searches, you should at first point the the heaviest ones and see their own scope (alert, lookup, summary or report).
So you can choose if the frequency is correct or not:

  • if not correct, you can modify it,
  • otherwise, the only way is to scale architecture adding CPUs to Search Heads and/or Indexers or adding additional servers.

Ciao.
Giuseppe

punyanit
Path Finder

This search will list the scheduled searches with the scheduled time, and status. From here you can see if the scheduled is getting used anywhere or not

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Then you can use below to list all the scheduled searches and then compare the results

| rest /services/saved/searches search="is_scheduled=1"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...