Manage jobs in the OS
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Manage jobs in the OS
When Splunk is running a job, it will manifest itself as a process in the OS called splunk-search. You can use Manager to act on this job, but you can also manage the job's underlying processes at the OS commandline as well.
To see the job's processes and its arguments, type:
> top > c
This will show you all the processes running and all their arguments.
Typing ps -ef | grep splunk-search will isolate all the splunk-search processes within this list. It looks like this:
[pie@fflanda ~]$ ps -ef | grep splunk-search pie 21368 19460 96 13:51 ? 00:01:18 splunk-search --search=search sourcetype="access_combined" --id=1247691084.1188 --maxbuckets=300 --ttl=600 --maxout=500000 --maxtime=0 --lookups=1 --reduce_freq=10 --user=pie --pro --roles=admin:user pie 21371 21368 0 13:51 ? 00:00:00 splunk-search --search=search sourcetype="access_combined" --id=1247691084.1188 --maxbuckets=300 --ttl=600 --maxout=500000 --maxtime=0 --lookups=1 --reduce_freq=10 --user=pie --pro --roles=admin:user pie 22804 20379 0 13:52 pts/9 00:00:00 grep splunk-search
There will be two processes for each search job; the second one is a 'helper' process used by the splunkd process to do further work as needed. The main job is the one using system resources. The helper process will die on its own if you kill the main process.
The process info includes:
- the search string (search=)
- the job ID for that job (id=)
- the ttl, or length of time that job's artifacts (the output it produces) will remain on disk and available (ttl=)
- the user who is running the job (user=)
- what role(s) that user belongs to (roles=)
When a job is running, its data is being written to $SPLUNK_HOME/var/run/splunk/dispatch/<job_id>/
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.
The value of ttl for a process will determine how long the data remains in this spot, even after you kill a job.
When you kill a job from the OS, you might want to look at its job ID before killing it if you need to remove its artifacts.
Use the filesystem to manage jobs
Splunk allows you to manage jobs via creation and deletion of items in that job's artifact directory:
- To cancel a job, go into that job's artifact directory create a file called 'cancel'.
- To preserve that job's artifacts (and ignore its ttl setting), create a file called 'save'.
- To pause a job, create a file called 'pause', and to unpause it, delete the 'pause' file.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.