Perform actions on running searches
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Perform actions on running searches
Splunk provides a set of controls that you can use to manage "in process" searches. It displays these controls below the search bar while a search is running. The controls include:
- Pause: Pauses a search in progress. Useful when you're running a long search but want to put it on hold momentarily. Click Resume to keep searching or Finalize to finalize the search (see below).
- Send to background: Lets you send a search "to the background" while you work on other projects in the foreground, and have the system give you a notification when a backgrounded search is complete. You can use the Jobs page to access backgrounded searches and review their results.
- Finalize: This stops a search before it completes and get the results that Splunk has retrieved up to that point. You can use the finalized results to build a report.
- Build report: If you're dealing with a long search and don't want to wait until the search completes to start defining a report based on it, use this control to launch the report builder and give yourself a head start. The search continues running after the report builder is launched, and the finished report covers the full range of the event data returned.
- Cancel: Cancels searches in progress and deletes all results. Splunk lists recently canceled searches in the Jobs page, but, because their results are deleted, it does not provide a view link for them.
For more information about the Jobs page see "Supervise Your Search Jobs" in this manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.