Solved: How search how many concurrent searches (adhoc, re...

melonman · ‎11-24-2015

Hi

Can anyone help me create a search in audittrail index to get the min/avg/max number of concurrent searches in a Splunk environment?
I would like to know how many searches are running concurrently in my environment, and use this info as capacity planning.

Thanks,

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

View solution in original post

sundareshr · ‎11-24-2015

You can adjust the span as appropriate

index=_internal source=*metrics.log group="search_concurrency" | timechart span=1h sum(active_hist_searches) as total | stats avg(total) min(total) max(total)

You could also explore the active_realtime_searches field.

landen99 · ‎08-18-2017

I downvoted this post because "sum(active_hist_searches)" doesn't have any real meaning. if i reported a million times in an hour that there was 1 active search, you would see 1 million searches as "total".

melonman · ‎12-02-2015

Should aggregation be "sum(active_hist_searches)" or "avg(active_hist_searches)" OR maybe max() ??

How search how many concurrent searches (adhoc, report, summary, etc) are running at the same time in my environment?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...