Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Supervise your search jobs

Each time you run a search or generate a report, Splunk creates a job that contains the event data returned by that search or report. The Job Manager enables you to review and oversee your recently dispatched jobs, as well as those you may have saved earlier.

Just to be clear, jobs are not the same as saved searches and saved reports. Saved searches and saved reports contain data used to run those searches and reports, such as the search string and the time arguments used to dispatch searches. Jobs are artifacts of previously run searches and reports. They contain the results of a particular run of a search or report. Jobs are dispatched by scheduled searches as well as manual runs of searches and reports in the user interface.

For more information about saving searches see "Save searches" in this manual. For more information about saving reports, see "Save reports and share them with others" in this manual.

You access the Job Manager by clicking the Jobs link in the upper right hand corner of the screen.

When you click Jobs, Splunk opens a separate browser window for the Job Manager. The Job Manager displays a list of search jobs that breaks down into a few categories:

  • Search jobs resulting from searches that you have recently run manually.
  • Search jobs that are artifacts of searches that are run when dashboards are loaded.
  • Search jobs that are artifacts of scheduled searches (searches that are designed to run on a regular interval).
  • Search jobs that have been saved.
    • You can save a search job manually via the Job Manager.
    • Search jobs are also saved automatically when you manually send a search to the background before it completes or you finalize it.

Note: If a job is canceled while you have the Job Manager window open it can still appear in the Job Manager list, but you won't be able to view its results. If you close and reopen the Job Manager, the canceled job should disappear.

Search job lifespans

Search jobs will remain in the Job Manager until they are automatically deleted by the Splunk system. The default lifespan for a search job differs depending on whether it is an artifact of a search that was launched manually, or is an artifact of a scheduled search.

Search jobs from manually-launched searches and dashboard loads

When you manually launch a search and the search is finalized or completes on its own, the resulting search job has a default lifespan of 10 minutes. Search jobs from searches that are artifacts of dashboard panel loads also have 10 minute lifespans.

You can extend a search job's expiration time to 7 days by saving it. You can save a search job two ways: you can open the Job Manager and save the search job manually, or you can save the search job by sending it to the background while the search is still running.

Note: If you want to increase or decrease the retention time for saved jobs, go to limits.conf and change the default_save_ttl value for the [search] stanza to a number that is more appropriate for your needs. (The acronym "ttl" stans for "time to lose.")

Whenever you view a search job's results (in other words, whenever you click its link in the Job Manager to bring up its results in another window) Splunk resets the job's expiration time so that it is retained for 7 days from the moment when you accessed it.

Search jobs from scheduled searches

Scheduled searches launch search jobs on a regular interval. By default, such jobs will be retained for the interval of the scheduled search multiplied by two. So if the search runs every 6 hours, the resulting jobs will expire in 12 hours.

Note: You can change the default lifespan for jobs resulting from a specific scheduled search. To do this, go to savedsearches.conf, locate the scheduled search in question, and change its dispatch.ttl setting to a different interval multiple.

Job Manager controls

5.0-Jobs Manager Main.png

Use the Job Manager controls to:

  • See a list of the jobs you've recently dispatched or saved for later review and use it to compare job statistics (run time, total count of events matched, size, and so on). If you have the Admin role or a role with equivalent or greater capabilities you will see all jobs that have been recently dispatched for your Splunk implementation.
  • Check on the progress of ongoing backgrounded jobs (this includes both real-time searches and long-running historical searches) or jobs dispatched by scheduled searches.
  • Save, pause, resume, finalize, and delete search jobs, either individually or in bulk. Select the checkbox to the left of the job(s) you want to act on and click the relevant button at the bottom of the page.
  • Click on the search name or search string to view the results associated with a specific job. The results will open in a separate browser window.
    • If the job is related to a search, you'll see the results in the Search view. They will appear in a separate window.
    • If the job is related to a report, you'll see the results in the Format Report page of the Report Builder.
  • The Expires column tells you how much time each list job has before it is deleted from the system. If you want to be able to review a search job after that expiration point, or share it with others, save it. Keep in mind, however, that jobs will still expire 7 days after they are saved (unless you view the job directly during that 7 day period, in which case the expiration clock is reset). See "Search job lifespans," above, for more information.

In most views you can save the last search or report job you ran without accessing the Job Manager page, as long as the job hasn't already expired:

  • If you want to save a search job, after running a search in the Search view, click Save and select Save results. Select Save & share results if you want to both save the results of a particular run of a search and share those results with others (Splunk will give you a link to the results that you can send to interested parties).
  • You can also save a search job that you've run manually by clicking the Send to Background icon while the search is still running. This has the same effect as clicking Save and selecting Save results. For more information about sending searches to the background see "Use search actions" in this manual.
  • If you want to save a report job from the Report Builder, get to the Format report page, click Save, and select either Save results or Save & share results. You can access the saved job in the Job Manager. If you select the latter option you'll get a link to the results that you can send to interested parties.

For more information, see "About jobs and jobs management" in the Admin manual.

Save searches and share search results
Monitor recurring situations

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters