Splunk® Enterprise

Search Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About jobs and job management

Each time you run a search, create a pivot, open a report, or load a dashboard panel, the Splunk software creates a job in the system. When you run a search, you are creating an ad hoc search. Pivots, reports, and panels are powered by saved searches.

This graphic shows an image of a search, a report, a pivot, and a dashboard panel pointing to an image of a list of jobs.

A job is a process that tracks information about the ad hoc search or saved search. The information that is tracked includes the owner of the job, the app that the job was run on, how many events were returned, and how long the job took to run.

Each job process creates a search artifact. The artifact contains the results and associated metadata that are returned at the time that the ad hoc search or saved search was run.

Inspecting jobs and managing jobs

There are several ways that you can look at information about your jobs. You can inspect a job or you can manage a job.

Search Job Inspector
Use the Search Job Inspector to view information about the current job, such as job execution costs and search job properties. See View search job properties.
Jobs manager page
Use the Jobs manager page to view information about recent jobs. If you have the Admin role or a role with an equivalent set of capabilities, you can manage the search jobs run by other users. See Manage search jobs.

Job menu

After you run a search or open a report in Splunk Web, you can access and manage information about the search job without leaving the Search page. While the search is running, paused, or finalized, click Job and choose from the available options.

This image shows the Jobs drop-down list. The list of options are described below the image.

  • Edit the job settings. Select this to open the Job Settings dialog, where you can change the job read permissions, extend the job lifetime, and get a URL for the job. You can use the URL to share the job with others, or to create a bookmark to the job from your web browser.
  • Send the job to the background. Select this if the search job is slow to complete and you want to you work on other Splunk activities, including running a new search job. The job continues to run in the background.
  • Inspect the job. Opens a separate window and displays information and metrics for the search job using the Search Job Inspector.
  • Delete the job. Use this to delete a job that is currently running, is paused, or which has finalized. After you delete the job, you can still save the search as a report.

Edit search job settings

You can open the Job Settings dialog when a search job is running, paused, or finalized. Just click Job and select Edit Job Settings.

This image shows the Job Settings dialog box. The default setting for Read Permissions is Private. The default setting for Lifetime is 10 minutes.

Sharing jobs

There are several ways to share a job with other Splunk users. You can change the job permissions or send a link to the job. This can be handy if you want another user to see the results returned by the job. See Sharing and exporting jobs.

Job lifetimes

When you run a new search, a job is retained in the system for a period of time, called the job lifetime. The default lifetime is 10 minutes. The lifetime starts from the moment the job is run. See Extending job lifetimes in this manual.

Managing long-running jobs

Sometimes a search job runs for a long time. You might want to edit the search to change the search criteria, or you might want to pause the search or run the search in the background.

Autopause long-running jobs

To handle inadvertently long-running search jobs, you can autopause a job. This feature is enabled by default only for summary dashboard clicks, to deal with the situation where a user mistakenly initiates "all time" searches.

When autopause is enabled for a particular search view, the search view includes an autopause countdown field during the search. If the search time limit has been reached, an information window will appear to inform the user that the search has been paused. It offers the user the option of resuming or finalizing the search. By default, the limit before autopause is 30 seconds.

Autopause popup.png

Managing jobs when a computer goes into sleep mode

When a search is run in Splunk Web from a computer that is not a Splunk server and the computer changes to sleep or hibernate mode, the underlying search process is stopped. The Splunk software interprets the change to sleep or hibernate mode as if the browser tab in which the software is running has been closed and is no longer being used.

To avoid this issue, use one of the following techniques:

  • Send the job to the background. The job continues to run in the background even when your computer goes into sleep or hibernate mode. From the Job menu, select Send Job to Background.
  • Save and schedule the search. The search runs independently from the computer that was used to create the search. You will need to decide if you want to save and schedule the search as a report, dashboard or an alert. See Saving searches and Scheduling searches.
  • Share the job. The lifetime of the job is automatically extended to 7 days and read permissions are set to Everyone. See Share jobs and export results.
  • Change the settings on the computer to extend the time before the computer goes into sleep or hibernate mode.

Administering jobs

Users with the Admin role, or a role with equivalent capabilities, can restrict how many jobs a given user can run, and how much space their job artifacts can take up.

You must define a role with the desired restrictions and assign the user to the role. You can apply a high level of granularity by giving unique roles to each user in your system.

Edit search restriction settings

To edit the search restrictions setting for a role:

  1. In Splunk Web, go to Settings > Access Controls > Roles. In Splunk Enterprise you can manually edit search restrictions, which are specified in the authorize.conf file, as described in Edit search restrictions manually.

You can manage running jobs from the command line. For more information, see Manage search jobs from the OS.

Edit search restrictions manually

  1. Review the contents of the authorize.conf.example file in the Admin Manual. This example explains some the attributes that you might want to use.
  2. Create the configuration file.
  3. Scope Description
    System-wide Create the authorize.conf file in local directory for the system. The location of the system local directory is $SPLUNK_HOME/etc/system/local .
    Application-specific Create the authorize.conf file in the local directory for the application. The location of an application local directory is $SPLUNK_HOME/etc/apps/<app_name>/local.
  4. Edit the local authorize.conf file. To restrict the jobs that users can run, add the following information to the file:
    1. Add a stanza for the role that you want to create. Use the format [role_<roleName>]. Role names must be in lowercase characters. For example, [role_ninja].
    2. Optional. Add the importRoles attribute. Importing a role also imports the other aspects of that role, such as the indexes that the role is allowed to search. For example, importRoles = user.
    3. Add the srchDiskQuota attribute and value. This is the maximum amount of disk space (MB) that search jobs can use, for a user that belongs to this role. The default value is 100MB. For example, srchDiskQuota = 500.
    4. Add the srchJobsQuota attribute and value. This is the maximum number of concurrently running searches that a user of this role can have. The default value is 3. srchJobsQuota = 10.
    5. Optional. Add the rtsearch attribute to specify if the user is authorized to run real-time searches. If you enable real-time searches for the user, you should also specify the rtSrchJobsQuota attribute.


  • For attribute descriptions and information about the default values, see role_name stanza for the authorize.conf file in the Admin Manual.
  • For more information about roles, see Add and edit roles in the Securing Splunk Enterprise manual.

See also

Last modified on 14 April, 2021
 

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters