Search usage statistics: Instance
What does this view show?
Several panels about search usage statistics.
Interpret results in this view
In the Long-Running Searches panel:
- A start time of ZERO_TIME means that search will go up to the epoch.
- An end time of ZERO_TIME means that the search searches up until the moment that the search is fired.
- If both start and end time are listed as ZERO_TIME, that indicates an all-time search.
In the Common Search Commands panel, runtimes are in seconds.
What to look out for in this view
It's good practice to look at your long-running searches. You might find a search that you can optimize.
For more information, see "Write better searches" in the Search Manual.
Troubleshoot this view
The historical panels in this view get their data from audit.log. If a panel is blank or missing information from non-indexers, check that you're forwarding your introspection logs to your indexers.
The Long-Running Searches panel also uses information from a REST endpoint.
Search activity: Deployment
Resource usage: Instance
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15