Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Supervise your search jobs with the Job Manager

You can use the Job Manager to review and manage any search that you own. If you have the Admin role or a role with an equivalent set of capabilities, you can manage the search jobs run by all users of your implementation. You can access these jobs via Splunk Web by going to the Job Manager; to do this just click the Jobs link at the upper right-hand corner of any Splunk page.

Access the Job Manager by clicking the Jobs link in the upper right hand corner of the screen.

5.0-Job Mgr Link.png

When you click Jobs, Splunk opens a separate browser window for the Job Manager. The Job Manager displays a list of search jobs. Search jobs displayed in the Job Manager list include:

  • Jobs resulting from searches that you have recently run manually.
  • Jobs that are artifacts of searches that are run when dashboards are loaded.
  • Jobs that are artifacts of scheduled searches (searches that are designed to run on a regular interval).
  • Jobs that have been saved.
    • You can save a search job manually via the Job Manager.
    • Search jobs are also saved automatically when you manually send a search to the background before it completes or you finalize it.

Note: If a job is canceled while you have the Job Manager window open it can still appear in the Job Manager list, but you won't be able to view its results. If you close and reopen the Job Manager, the canceled job should disappear.

Search job lifespans

Search jobs will remain in the Job Manager until they are automatically deleted by the Splunk system. The default lifespan for a search job differs depending on whether it is an artifact of a search that was launched manually, or is an artifact of a scheduled search.

Search jobs from manually-launched searches and dashboard loads

When you manually launch a search and the search is finalized or completes on its own, the resulting search job has a default lifespan of 10 minutes. Search jobs from searches that are artifacts of dashboard panel loads also have 10 minute lifespans.

You can extend a search job's expiration time to 7 days by saving it. You can save a search job two ways: you can open the Job Manager and save the search job manually, or you can save the search job by sending it to the background while the search is still running.

Note: If you want to increase or decrease the retention time for saved jobs, go to limits.conf and change the default_save_ttl value for the [search] stanza to a number that is more appropriate for your needs. (The acronym "ttl" stans for "time to lose.")

Whenever you view a search job's results (in other words, whenever you click its link in the Job Manager to bring up its results in another window) Splunk resets the job's expiration time so that it is retained for 7 days from the moment when you accessed it.

Search jobs from scheduled searches

Scheduled searches launch search jobs on a regular interval. By default, such jobs will be retained for the interval of the scheduled search multiplied by two. So if the search runs every 6 hours, the resulting jobs will expire in 12 hours.

Note: You can change the default lifespan for jobs resulting from a specific scheduled search. To do this, go to savedsearches.conf, locate the scheduled search in question, and change its dispatch.ttl setting to a different interval multiple.

Job Manager controls

5.0-Jobs Manager Main.png

Use the Job Manager controls to:

  • See a list of the jobs you've recently dispatched or saved for later review and use it to compare job statistics (run time, total count of events matched, size, and so on). If you have the Admin role or a role with equivalent or greater capabilities you will see all jobs that have been recently dispatched for your Splunk implementation.
  • Check on the progress of ongoing backgrounded jobs (this includes both real-time searches and long-running historical searches) or jobs dispatched by scheduled searches.
  • Save, pause, resume, finalize, and delete search jobs, either individually or in bulk. Select the checkbox to the left of the job(s) you want to act on and click the relevant button at the bottom of the page.
  • Click on the search name or search string to view the results associated with a specific job. The results will open in a separate browser window.
    • If the job is related to a search, you'll see the results in the Search view. They will appear in a separate window.
    • If the job is related to a report, you'll see the results in the Format Report page of the Report Builder.
  • The Expires column tells you how much time each list job has before it is deleted from the system. If you want to be able to review a search job after that expiration point, or share it with others, save it. Keep in mind, however, that jobs will still expire 7 days after they are saved (unless you view the job directly during that 7 day period, in which case the expiration clock is reset). See "Search job lifespans," above, for more information.

In most views you can save the last search or report job you ran without accessing the Job Manager page, as long as the job hasn't already expired:

  • If you want to save a search job after running a search in the Search view, click Save and select Save results. Select Save & share results if you want to both save the results of a particular run of a search and share those results with others (Splunk will give you a link to the results that you can send to interested parties).
  • You can also save a search job that you've run manually by clicking the Send to Background icon while the search is still running. This has the same effect as clicking Save and selecting Save results. For more information about sending searches to the background see "Perform actions on running searches" in the Search Manual.
  • If you want to save a report job from the Report Builder, get to the Format report page, click Save, and select either Save results or Save & share results. You can access the saved job in the Job Manager. If you select the latter option you'll get a link to the results that you can send to interested parties.

For more information, see "About search jobs and search job management" in this manual.

PREVIOUS
About search jobs and search job management
  NEXT
Manage search jobs from the operating system

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters