Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use search actions

Perform actions on running searches

Splunk provides a set of controls that you can use to manage "in process" searches. It displays these controls as blue buttons below the search bar while a search is running. The controls include:

  • Send to background: Sends a search "to the background" while you work on other projects in the foreground, and has the system notify you when a backgrounded search is complete. You can use the Jobs page to access backgrounded search jobs and review their results.
  • Pause/Resume: Pauses a search in progress. Useful when you're running a long search but want to put it on hold momentarily. Click Resume to keep searching or Finalize to finalize the search (see below).
  • Finalize: Stops a search before it completes. Splunk will display the results that it has retrieved up to that point. You can use the finalized results to build a report.
  • Cancel: Cancels searches in progress and deletes all results. Splunk lists recently canceled searches in the Jobs page, but, because their results are deleted, it does not provide a view link for them.
  • Job Inspector: Opens the Search Job Inspector, a tool which lets you take a closer look at what your search is doing and see where Splunk is spending most of its time. You can select this action while the search is running or after it completes. For more information, see "About the Search Job Inspector".
  • Print: Once the search has completed, enables you to print the resulting timeline and events list on your current page.

Running search.png

For more information about using the Jobs page to track searches that have been backgrounded, canceled, or which are running for alerting purposes see "Supervise Your Search Jobs" in this manual.

Save searches and create reports

Splunk also provides options to save your searches and create reports. It displays these options listed when you click the green buttons below the search bar.

Save options include:

  • Save search...: Saves the search, so you can easily run the search again without having to retype the search string. For more information, see "Save searches and share search results" in this manual.
  • Save results: Saves the results of the search and enables you to retrieve them from the Jobs manager.
  • Save & share results: Saves the results of the search and provides a url that enables you to share the results. For more information, see "Save searches and share search results".

Create options enables you to create:

  • Dashboard panel...: Click this if you'd like to generate a dashboard panel based on your search and add it to a new or existing dashboard. Learn more about dashboards in "Create and edit simple dashboards" in this manual.
  • Alert... Click to define an alert based on your search. Alerts run saved searches in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see "Create an alert" in this manual.
  • Report...: If you're dealing with a long search and don't want to wait until the search completes to start defining a report based on it, click this to launch the Report Builder and give yourself a head start. The search continues running after the Report Builder is launched, and the finished report covers the full range of the event data returned. For more information, see "Define reports" in this manual.
  • Event type... Event types let you classify events that have common characteristics. If the search doesn't include a pipe operator or a subsearch , you can use this to save it as an event type. For more information, see "About event types" and "Define and maintain event types in Splunk Web".
  • Scheduled search... Select this to schedule the search, define alert actions, and sharing settings. For more information, see "Monitor recurring situations".
Searching in Splunk
Search interactively with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters