The Active Search Jobs feature in Sentinel lists all the active event search jobs running in the system, including searches that are initiated when users perform activities, such as:
Run a search in the Search interface.
View events that fire a correlation rule.
View events processed when testing a correlation rule.
Generate a report or drill down into report results.
Select filters to view events that match the filter criteria.
Select tags to view the events that are tagged with the specified criteria.
View events from the dashboard, anomaly, continuation breakdown, and so forth.
Analyze, investigate, or view triggered events in Active Views.
The Active Search Jobs feature helps you monitor search activities and determine whether a search is not retrieving events as expected or whether a search is retrieving more than the expected events, which might indicate that the search needs to be tuned. It also helps you determine if too many searches are running and helps identify long-running searches that might slow down the system. Searches that consume a lot of memory are a potential liability to a healthy system and should be carefully reviewed to ensure that the search query is specified properly. You can also stop the searches that are no longer needed and thereby free up system resources.