Sentinel provides an option to monitor and manage active searches and reports on the Sentinel server for the purpose of resource management. You can view all the searches and reports currently active on the Sentinel server, determine which long-running searches or reports are no longer needed, and stop them as necessary.
Sentinel helps you monitor search and report activities and determine whether a search or a report is not retrieving events as expected or whether a search or a report is retrieving more than the expected events, which might indicate that the search or the report needs to be tuned. It also helps you determine if too many searches or reports are running, and helps identify long-running searches and reports that might slow down the system. Searches and reports that consume a lot of memory are a potential liability to a healthy system and should be carefully reviewed to ensure that the search query is specified properly. You can also stop the searches and reports that are no longer needed and thereby free up system resources.
To manage active searches:
From Sentinel Main, click Storage > Search Jobs.
The Search Jobs lists all the active event search jobs running in the system, including searches that are initiated when users perform activities, such as:
Run a search in the Search interface.
View events that fire a correlation rule.
View events processed when testing a correlation rule.
Generate a report or drill down into report results.
Select filters to view events that match the filter criteria.
Select tags to view the events that are tagged with the specified criteria.
View events from the dashboard, anomaly, continuation breakdown, and so forth.
The Search Jobs page refreshes every 30 seconds.
You can view the following search details. Mouse over each field for information on what the field indicates:
Duration: The time spent to search events in the event store.
Status: Whether a search job is pending, running, finished, finished with errors, or canceled.
Owner: The user who initiated the search. For search jobs initiated by the system, the owner is indicated as “System.”
Type: Indicates the following:
System: Search jobs that are run for maintenance purposes. For example, to clean up invalid references to events from the database.
User: Search jobs started by users either through the Search interface or through the REST API.
Reports: Search jobs started by users, but used for getting event results for reports.
Data sync: Search jobs started to support the Data Synchronization feature.
Distributed: Search jobs initiated by a remote server.
Start: The time the search started searching for events.
Accessed: The time elapsed since the search was initiated.
More: Provides detailed information such as the IP address of the machine that initiated the search, events processed, search criteria, and so forth.
(Conditional) To stop any active search jobs, select the search jobs you want to stop, then click Stop selected.
To manage active reports:
From Sentinel Main, click Storage > Report Jobs.
(Conditional) To stop any report jobs, select the report jobs you want to stop, then click Stop selected.
(Conditional) To delete any report jobs, select the report jobs you want to delete, then click Delete selected