Use search actions
Perform actions on running searches
Splunk provides a set of controls that you can use to manage "in process" searches. It displays these controls as blue buttons below the search bar while a search is running. The controls include:
- Send to background: Sends a search "to the background" while you work on other projects in the foreground, and has the system notify you when a backgrounded search is complete. You can use the Jobs page to access backgrounded search jobs and review their results.
- Pause/Resume: Pauses a search in progress. Useful when you're running a long search but want to put it on hold momentarily. Click Resume to keep searching or Finalize to finalize the search (see below).
- Finalize: Stops a search before it completes. Splunk will display the results that it has retrieved up to that point. You can use the finalized results to build a report.
- Cancel: Cancels searches in progress and deletes all results. Splunk lists recently canceled searches in the Jobs page, but, because their results are deleted, it does not provide a view link for them.
- Job Inspector: Opens the Search Job Inspector, a tool which lets you take a closer look at what your search is doing and see where Splunk is spending most of its time. You can select this action while the search is running or after it completes. For more information, see "About the Search Job Inspector".
- Print: Once the search has completed, enables you to print the resulting timeline and events list on your current page.
For more information about using the Jobs page to track searches that have been backgrounded, canceled, or which are running for alerting purposes see "Supervise Your Search Jobs" in this manual.
Save searches and create reports
Splunk also provides options to save your searches and create reports. It displays these options listed when you click the green buttons below the search bar.
Save options include:
- Save search...: Saves the search, so you can easily run the search again without having to retype the search string. For more information, see "Save searches and share search results" in this manual.
- Save results: Saves the results of the search and enables you to retrieve them from the Jobs manager.
- Save & share results: Saves the results of the search and provides a url that enables you to share the results. For more information, see "Save searches and share search results".
Create options enables you to create:
- Dashboard panel...: Click this if you'd like to generate a dashboard panel based on your search and add it to a new or existing dashboard. Learn more about dashboards in "Create and edit simple dashboards" in this manual.
- Alert... Click to define an alert based on your search. Alerts run saved searches in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see "Create an alert" in this manual.
- Report...: If you're dealing with a long search and don't want to wait until the search completes to start defining a report based on it, click this to launch the Report Builder and give yourself a head start. The search continues running after the Report Builder is launched, and the finished report covers the full range of the event data returned. For more information, see "Define reports" in this manual.
- Event type... Event types let you classify events that have common characteristics. If the search doesn't include a pipe operator or a subsearch , you can use this to save it as an event type. For more information, see "About event types" and "Define and maintain event types in Splunk Web".
- Scheduled search... Select this to schedule the search, define alert actions, and sharing settings. For more information, see "Monitor recurring situations".
Searching in Splunk
Search interactively with Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7