Sentinel provides an option to monitor and manage active event search jobs on the Sentinel server for the purpose of resource management. You can view all the search jobs currently active on the Sentinel server, determine which long-running search jobs are no longer needed, and stop search jobs as necessary.
The Search Jobs feature in Sentinel lists all the active event search jobs running in the system, including searches that are initiated when users perform activities, such as:
Run a search in the Search interface.
View events that fire a correlation rule.
View events processed when testing a correlation rule.
Generate a report or drill down into report results.
Select filters to view events that match the filter criteria.
Select tags to view the events that are tagged with the specified criteria.
View events from the dashboard, anomaly, continuation breakdown, and so forth.
Analyze, investigate, or view triggered events in Active Views.
The Search Jobs feature helps you monitor search activities and determine whether a search is not retrieving events as expected or whether a search is retrieving more than the expected events, which might indicate that the search needs to be tuned. It also helps you determine if too many searches are running and helps identify long-running searches that might slow down the system. Searches that consume a lot of memory are a potential liability to a healthy system and should be carefully reviewed to ensure that the search query is specified properly. You can also stop the searches that are no longer needed and thereby free up system resources.
Log in to the Sentinel Web interface as a user in the administrator role.
https://<IP_Address/DNS_Sentinel_server:8443>
The IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
Click in the toolbar, then click .
The Search Jobs page refreshes every 30 seconds.
You can view the following search details. Mouse over each field for information on what the field indicates:
Duration: The time spent to search events in the event store.
Status: Whether a search job is pending, running, finished, finished with errors, or canceled.
Owner: The user who initiated the search. For search jobs initiated by the system, the owner is indicated as “System.”
Type: Indicates the following:
System: Search jobs that are run for maintenance purposes. For example, to clean up invalid references to events from the database.
User: Search jobs started by users either through the Search interface or through the REST API.
Reports: Search jobs started by users, but used for getting event results for reports.
Data sync: Search jobs started to support the Data Synchronization feature.
Distributed: Search jobs initiated by a remote server (distributed search.)
Start: The time the search started searching for events.
Accessed: The time elapsed since the search was initiated.
More: Provides detailed information such as the IP address of the machine that initiated the search, events processed, search criteria, and so forth.
(Conditional) To stop any active search jobs, select the search jobs you want to stop, then click .
Similar to Search Jobs, Sentinel provides an option to monitor and manage scheduled report jobs on the Sentinel server. You can view all report jobs currently active on the Sentinel server, determine which long-running report jobs are no longer needed, and stop report jobs as necessary.
The Report Jobs feature helps you monitor report activities and determine whether a scheduled report is active or not. It also helps you determine if too many reports are scheduled and helps identify reports that are scheduled for a longer time, which might slow down the system. You can stop the reports that are no longer needed to free up system resources.
The Reports Jobs page provides detailed information such as the memory allocation, report job duration, start time, end time, report definition parameters, and so forth. The Report Jobs page refreshes every 30 seconds.
Log in to the Sentinel Web console as a user in the Administrator role.
https://<IP_Address/DNS_Sentinel_server:8443>
The IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
Click in the toolbar, then click .
(Conditional) To stop any report jobs, select the report jobs you want to stop, then click .
(Conditional) To delete any report jobs, select the report jobs you want to delete, then click