Documentation > Splunk > Admin Manual > About jobs and job management

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

About jobs and job management

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About jobs and job management

When a user runs a search in Splunk, it is created as a "job" in the system. This job also includes the artifacts (like search results) that are returned by a given search. Users can pause and resurrect their own jobs in the Job Manager. As an admin, you can manage the jobs of all users in the system.

To access the Jobs manager, click Jobs in the upper right of Splunk Web.

Jobs link.png

Note: The number of jobs shown in parentheses next to the Jobs link is the number of jobs that the user you're logged in as is currently running, not the number of jobs running on the system as a whole, even if you're logged in as admin.

You can also manage jobs through the command line of your OS.

Restrict the jobs users can run

The way to restrict how many jobs a given user can run, and how much space their job artifacts can take up is to define a role with these restrictions and assign them to it. You can do this at a very high level of granularity; each user in your system can have their own role.

Create a capability in a copy of authorize.conf in $SPLUNK_HOME/etc/system/local and give it appropriate values of:

For more information, refer to the topic about creating roles in this manual.

A user is getting a "Maximum disk usage" "Search not executed" error

If a single user in a role is getting this error it means they have persisted a a lot of search results to disk. Most likely they ran a '*' over all time search (or something like that) and have millions of results saved. If you want to bump up the disk quota for all users in the role, you must modify Create a capability in a copy of authorize.conf as described in the previous section.

Find and delete the search results

If you are logged in as an admin, you can go to the Jobs menu and search for the user in the Owner column and delete the offending saved data. (Most likely, there will be a few searches with massive numbers of results).

Or you can go to $SPLUNK_HOME$/var/run/splunk/dispatch and type:

$ find . -name info.csv -exec grep username_in_question {} \; -print

and then delete all of the directories that come back.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.6/Admin/Aboutjobsandjobmanagement"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!