Perform actions on running searches
Splunk provides a set of controls that you can use to manage "in process" searches and create reports and dashboards. It displays these controls as blue buttons below the search bar while a search is running. The controls include:
- Send to background: Sends a search "to the background" while you work on other projects in the foreground, and has the system notify you when a backgrounded search is complete. You can use the Jobs page to access backgrounded search jobs and review their results.
- Pause/Resume: Pauses a search in progress. Useful when you're running a long search but want to put it on hold momentarily. Click Resume to keep searching or Finalize to finalize the search (see below).
- Finalize: Stops a search before it completes. Splunk will display the results that it has retrieved up to that point. You can use the finalized results to build a report.
- Cancel: Cancels searches in progress and deletes all results. Splunk lists recently canceled searches in the Jobs page, but, because their results are deleted, it does not provide a view link for them.
- Job Inspector: Opens the Search Job Inspector, a tool which lets you take a closer look at what your search is doing and see where Splunk is spending most of its time. You can select this action while the search is running or after it completes. For more information, see "Use the Search Job Inspector".
- Print: Once the search has completed, enables you to print the resulting timeline and events list on your current page.
For more information about using the Jobs page to track searches that have been backgrounded, canceled, or which are running for alerting purposes see "Supervise Your Search Jobs with the Job Manager" in the Knowledge Manager Manual.
Create options enables you to create:
- Dashboard panel...: Click this if you'd like to generate a dashboard panel based on your search and add it to a new or existing dashboard. Learn more about dashboards in "Create and edit dashboards via the UI" in the Splunk Data Visualizations Manual.
- Alert... Click to define an alert based on your search. Alerts run saved searches in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see "Aboutalerts" in the Alerting Manual.
- Report...: If you're dealing with a long search and don't want to wait until the search completes to start defining a report based on it, click this to launch the Report Builder and give yourself a head start. The search continues running after the Report Builder is launched, and the finished report covers the full range of the event data returned. For more information, see "Define reports with the Report Builder" in the Splunk Data Visualizations Manual.
- Event type... Event types let you classify events that have common characteristics. If the search doesn't include a pipe operator or a subsearch , you can use this to save it as an event type. For more information, see "About event types" and "Define and maintain event types in Splunk Web" in the Knowledge Manager Manual.
- Scheduled search... Select this to create a scheduled search that performs an action (such as sending an email with the results of the search to a set of people) each time the search runs. For more information, see "Define scheduled searches" in the Knowledge Manager Manual.
Whats in Splunk Search
Set search mode to adjust your search experience
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18