Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About jobs and job management

When a user runs a search in Splunk, it is created as a "job" in the system. This job also includes the artifacts (like search results) that are returned by a given search. Users can pause and resurrect their own jobs in the Job Manager. As an admin, you can manage the jobs of all users in the system.

To access the Jobs manager, click Jobs in the upper right of Splunk Web.

Jobs link.png

Note: The number of jobs shown in parentheses next to the Jobs link is the number of jobs that the user you're logged in as is currently running, not the number of jobs running on the system as a whole, even if you're logged in as admin.

You can also manage jobs through the command line of your OS.

Restrict the jobs users can run

The way to restrict how many jobs a given user can run, and how much space their job artifacts can take up is to define a role with these restrictions and assign them to it. You can do this at a very high level of granularity; each user in your system can have their own role.

Create a capability in a copy of authorize.conf in $SPLUNK_HOME/etc/system/local and give it appropriate values of:

  • srchDiskQuota: Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role.
  • srchJobsQuota: Maximum number of concurrently running searches a member of this role can have.

For more information, refer to "Add and edit roles".

Autopause long-running jobs

To handle inadvertently long-running search jobs, Splunk provides an autopause feature. The feature is enabled by default only for summary dashboard clicks, to deal with the situation where users mistakenly initiate "all time" searches.

When autopause is enabled for a particular search view, the search view includes an autopause countdown field during a search. If the search time limit has been reached, an information window will appear to inform the user that the search has been paused. It offers the user the option of resuming or finalizing the search. By default, the limit before autopause is 30 seconds.


Autopause popup.png


Auto-pause is configurable only by view developers. It is not a system-wide setting nor is it configurable by role. The autopause feature can be enabled or disabled by editing the appropriate view. See How to turn off autopause in the Developer manual. Also, see the host, source, and sourcetypes links on the summary dashboard for examples of autopause implementation.

PREVIOUS
Hardening standards
  NEXT
Manage jobs in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters