Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About search actions and modes

This topic explains search actions and search modes that you can use to control your search experience.

6.1 tutorial search actionsandmodes.png

Control search job progress

After you launch a search, you can pause it and stop it using the buttons under the search bar. Also, you can access and manage information about the search's job without leaving the Search page. Click Job and choose from the available options there.

6.1 tutorial searchjob controls.png

You can:

  • Edit the job settings. Select this option to open the Job Settings dialog box, where you can change the job's read permissions, extend the job's lifespan, and get a URL for the job that you can use to share the job with others or put a link to the job in your browser's bookmark bar.
  • Send the job to the background. Select this option if the search job is slow and you want to run the job in the background while you work on other Splunk Enterprise activities (including running a new search job).
  • Inspect the job. Opens a separate window and displays information and metrics for the search job using the Search Job Inspector.
  • Delete the job. Use this option to delete a job that is running, is paused, or which has finalized. After you delete the job, you can save the search as a report.

See "Saving and sharing jobs in Splunk Web" in the Search Manual..

Change the search mode

The Search mode controls the search experience. You can set it to speed up searches by cutting down on the event data it returns (Fast mode), or you can set it to return as much event information as possible (Verbose mode). In Smart mode (the default setting) it toggles search behavior based on the type of search you're running.

6.1 tutorial searchmode selector.png

See "Set search mode to adjust your search experience" in the Search manual.

Save the results

The Save as menu lists options for saving the results of a search as a Report, Dashboard Panel, Alert, and Event type.

6.1 tutorial saveas menu.png

Other search actions

Between the job progress controls and search mode selector are buttons that let you Share, Export, and Print the results of a search.

6.1 tutorial search actions.png

  • The Share options shares the search job. This option extends the job's lifetime to seven days and set the read permissions to Everyone.
  • The Export option exports the results. Select this option to output to CSV, raw events, XML, or JSON and specify the number of results to export.
  • The Print option sends the results to a printer that has been configured.

Use the Close button to cancel the search and return to Splunk Home.

Next steps

Continue to the next topic for a discussion about the format of the search results.

About the time range picker
About the search results tabs

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters