Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Perform actions on running searches

Splunk provides a set of controls that you can use to manage "in process" searches and create reports and dashboards. It displays these controls as blue buttons below the search bar while a search is running. The controls include:

  • Send to background: Sends a search "to the background" while you work on other projects in the foreground, and has the system notify you when a backgrounded search is complete. You can use the Jobs page to access backgrounded search jobs and review their results.
  • Pause/Resume: Pauses a search in progress. Useful when you're running a long search but want to put it on hold momentarily. Click Resume to keep searching or Finalize to finalize the search (see below).
  • Finalize: Stops a search before it completes. Splunk will display the results that it has retrieved up to that point. You can use the finalized results to build a report.
  • Cancel: Cancels searches in progress and deletes all results. Splunk lists recently canceled searches in the Jobs page, but, because their results are deleted, it does not provide a view link for them.
  • Job Inspector: Opens the Search Job Inspector, a tool which lets you take a closer look at what your search is doing and see where Splunk is spending most of its time. You can select this action while the search is running or after it completes. For more information, see "Use the Search Job Inspector".
  • Print: Once the search has completed, enables you to print the resulting timeline and events list on your current page.

Running search.png

For more information about using the Jobs page to track searches that have been backgrounded, canceled, or which are running for alerting purposes see "Supervise Your Search Jobs with the Job Manager" in the Knowledge Manager Manual.

Create options enables you to create:

  • Dashboard panel...: Click this if you'd like to generate a dashboard panel based on your search and add it to a new or existing dashboard. Learn more about dashboards in "Create and edit dashboards via the UI" in the Splunk Data Visualizations Manual.
  • Alert... Click to define an alert based on your search. Alerts run saved searches in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see "Aboutalerts" in the Alerting Manual.
  • Report...: If you're dealing with a long search and don't want to wait until the search completes to start defining a report based on it, click this to launch the Report Builder and give yourself a head start. The search continues running after the Report Builder is launched, and the finished report covers the full range of the event data returned. For more information, see "Define reports with the Report Builder" in the Splunk Data Visualizations Manual.
  • Event type... Event types let you classify events that have common characteristics. If the search doesn't include a pipe operator or a subsearch , you can use this to save it as an event type. For more information, see "About event types" and "Define and maintain event types in Splunk Web" in the Knowledge Manager Manual.
  • Scheduled search... Select this to create a scheduled search that performs an action (such as sending an email with the results of the search to a set of people) each time the search runs. For more information, see "Define scheduled searches" in the Knowledge Manager Manual.
PREVIOUS
Whats in Splunk Search
  NEXT
Set search mode to adjust your search experience

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters