Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About search jobs and search job management

Each time you run a search or generate a report, Splunk creates a search job in the system. This job contains the event data returned by that search or report. The Job Manager enables you to review and oversee your recently dispatched jobs, as well as those you may have saved earlier. In addition, if you have the Admin role or a role with equivalent capabilities, you can use the Job Manager to manage the jobs of all users in the system.

Access the Job Manager by clicking the Jobs link in the upper right hand corner of the screen.

Jobs link.png

For more information about using the Job Manager, see "Supervise your search jobs with the Job Manager.", in this manual.

You can also manage jobs through the command line of your operating system. For more information, see "Manage search jobs from the operating system", in this manual.

Note: Just to be clear, search jobs are not the same as saved searches and saved reports. Saved searches and saved reports contain data used to run those searches and reports, such as the search string and the time arguments used to dispatch searches. Jobs are artifacts of previously run searches and reports. They contain the results of a particular run of a search or report. Jobs are dispatched by scheduled searches as well as manual runs of searches and reports in the user interface.

For more information about saving searches see "Save searches and share them with others" in this manual. For more information about saving reports, see "Save reports and share them with others" in the Splunk Data Visualizations Manual.

Restrict the jobs users can run

The way to restrict how many jobs a given user can run, and how much space their job artifacts can take up is to define a role with these restrictions and assign them to it. You can do this at a very high level of granularity; each user in your system can have their own role.

Create a capability in a copy of authorize.conf in $SPLUNK_HOME/etc/system/local and give it appropriate values of:

  • srchDiskQuota: Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role.
  • srchJobsQuota: Maximum number of concurrently running searches a member of this role can have.

For more information, refer to "Add and edit roles" in Securing Splunk.

Autopause long-running jobs

To handle inadvertently long-running search jobs, Splunk provides an autopause feature. The feature is enabled by default only for summary dashboard clicks, to deal with the situation where users mistakenly initiate "all time" searches.

When autopause is enabled for a particular search view, the search view includes an autopause countdown field during a search. If the search time limit has been reached, an information window will appear to inform the user that the search has been paused. It offers the user the option of resuming or finalizing the search. By default, the limit before autopause is 30 seconds.

Autopause popup.png

Auto-pause is configurable only by view developers. It is not a system-wide setting nor is it configurable by role. The autopause feature can be enabled or disabled by editing the appropriate view. See "How to turn off autopause" in the Developer manual. Also, see the host, source, and sourcetypes links on the summary dashboard for examples of autopause implementation.[[[Category:V:Splunk:5.0]]

PREVIOUS
Configure the priority of scheduled searches
  NEXT
Supervise your search jobs with the Job Manager

This documentation applies to the following versions of Splunk® Enterprise: 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters