$vt_jobs
The $vt_jobs virtual table lists previously executed searches.
// returns a list of all searches that were run within the past hour and are available to the current user
dataset="$vt_jobs" earliest=-1hPurpose
Use $vt_jobs for troubleshooting or performance analysis, or to monitor search activity in your organization.
Permissions
| Search Member Type | Permissions |
|---|---|
| Admin | Can see all searches in their organization. |
| Editor or User | Can see only those searches that they ran themselves or that were shared with them. |
Syntax
dataset="$vt_jobs"Returns
Returns one event for every search run within the specified time range, filtered through any additional criteria you specify.
Each event contains fields with the search’s details.
Examples
Aggregate searches from the past seven days by their status.
dataset="$vt_jobs" earliest=-7d
| summarize count() by status