Table: splunk_search_job - Query Splunk Search Jobs using SQL
Splunk Search Jobs is a feature within Splunk that enables users to execute searches and store the results. These search jobs can be saved for future reference or used to create alerts, visualizations, and reports. It provides a way to manage and track the progress of all searches executed in the Splunk environment.
Table Usage Guide
The splunk_search_job table provides insights into the search jobs executed within the Splunk environment. As a security analyst or a Splunk administrator, you can explore job-specific details through this table, including search parameters, status, and associated metadata. Utilize it to uncover information about search jobs, such as those running for an extended period, the progress of specific search jobs, and the verification of search parameters.
Examples
Basic info
Analyze the settings to understand the performance and resource usage of search jobs in Splunk. This can help in identifying any jobs that are consuming excessive resources or taking too long to run, thereby aiding in efficient resource management and performance optimization.
select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_job;select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_job;List incomplete search jobs
Determine the areas in which search jobs are still in progress to manage resources effectively by identifying jobs that are consuming significant resources and time.
select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_jobwhere not is_done;select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_jobwhere is_done is not 1;List failed search jobs
Identify instances where search jobs have failed to gain insights into potential issues that may be impacting system performance or data accuracy.
select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_jobwhere is_failed;select sid, event_count, run_duration, earliest_time, disk_usagefrom splunk_search_jobwhere is_failed = 1;Schema for splunk_search_job
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| cursor_time | timestamp with time zone | The earliest time from which no events are later scanned. Can be used to indicate progress. See description for doneProgress. | |
| custom | jsonb | Custom job property. | |
| delegate | text | For saved searches, specifies jobs that were started by the user. Defaults to scheduler. | |
| disk_usage | bigint | The total amount of disk space used, in bytes. | |
| dispatch_state | text | The state of the search. Can be any of QUEUED, PARSING, RUNNING, PAUSED, FINALIZING, FAILED, DONE. | |
| done_progress | double precision | A number between 0 and 1.0 that indicates the approximate progress of the search. doneProgress = (latestTime – cursorTime) / (latestTime – earliestTime). | |
| drop_count | bigint | For real-time searches only, the number of possible events that were dropped due to the rt_queue_size (default to 100000). | |
| earliest_time | timestamp with time zone | The earliest time a search job is configured to start. Can be used to indicate progress. | |
| event_available_count | bigint | The number of events that are available for export. | |
| event_count | bigint | The number of events returned by the search. | |
| event_field_count | bigint | The number of fields found in the search results. | |
| event_is_streaming | boolean | Indicates if the events of this search are being streamed. | |
| event_is_truncated | boolean | Indicates if events of the search are not stored, making them unavailable from the events endpoint for the search. | |
| event_search | text | Subset of the entire search that is before any transforming commands. The timeline and events endpoint represents the result of this part of the search. | |
| event_sorting | text | Indicates if the events of this search are sorted, and in which order: asc, desc, none. | |
| is_done | boolean | Indicates if the search has completed. | |
| is_event_preview_enabled | boolean | Indicates if the timeline_events_preview setting is enabled in limits.conf. | |
| is_failed | boolean | Indicates if there was a fatal error executing the search. For example, invalid search string syntax. | |
| is_finalized | boolean | Indicates if the search was finalized (stopped before completion). | |
| is_paused | boolean | Indicates if the search is paused. | |
| is_preview_enabled | boolean | Indicates if previews are enabled. | |
| is_real_time_search | boolean | Indicates if the search is a real time search. | |
| is_remote_timeline | boolean | Indicates if the remote timeline feature is enabled. | |
| is_saved | boolean | Indicates that the search job is saved, storing search artifacts on disk for 7 days from the last time that the job was viewed or touched. Add or edit the default_save_ttl value in limits.conf to override the default value of 7 days. | |
| is_saved_search | boolean | Indicates if this is a saved search run using the scheduler. | |
| is_zombie | boolean | Indicates if the process running the search is dead, but with the search not finished. | |
| keywords | text | All positive keywords used by this search. A positive keyword is a keyword that is not in a NOT clause. | |
| label | text | Custom name created for this search. | |
| latest_time | text | The latest time a search job is configured to start. Can be used to indicate progress. | |
| messages | jsonb | Errors and debug messages. | |
| num_previews | bigint | Number of previews generated so far for this search job. | |
| performance | jsonb | A representation of the execution costs. | |
| priority | bigint | An integer between 0-10 that indicates the search priority. | |
| remote_search | text | The search string that is sent to every search peer. | |
| report_search | text | If reporting commands are used, the reporting search. | |
| request | jsonb | GET arguments that the search sends to splunkd. | |
| result_count | bigint | The total number of results returned by the search. In other words, this is the subset of scanned events (represented by the scanCount) that actually matches the search terms. | |
| result_is_streaming | boolean | Indicates if the final results of the search are available using streaming (for example, no transforming operations). | |
| result_preview_count | bigint | The number of result rows in the latest preview results. | |
| run_duration | double precision | Time in seconds that the search took to complete. | |
| scan_count | bigint | The number of events that are scanned or read off disk. | |
| search_earliest_time | timestamp with time zone | Specifies the earliest time for a search, as specified in the search command rather than the earliestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does). | |
| search_latest_time | timestamp with time zone | Specifies the latest time for a search, as specified in the search command rather than the latestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does). | |
| search_providers | jsonb | A list of all the search peers that were contacted. | |
| sid | text | = | The search ID number. |
| status_buckets | bigint | Maximum number of timeline buckets. | |
| ttl | bigint | The time to live, or time before the search job expires after it completes. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- splunkYou can pass the configuration to the command with the --config argument:
steampipe_export_splunk --config '<your_config>' splunk_search_job