Splunk search for Average search run time by host
Copy
index=_audit sourcetype=audittrail action=search total_run_time=* host=* | dedup search_id | eval runtime=if(isnum(total_run_time), total_run_time, "null") | where runtime!="null" | timechart span=15m eval(round(avg(runtime),2)) as avg_runtime by host limit=0
This Splunk search will output a timechart that will show the average runtime of searches that have fun, separated by search head that they were executed on.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment