Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Manage search jobs

You can use the Jobs page to review and manage any search that you own. If you have the Admin role, or a role with an equivalent set of capabilities, you can manage the search jobs run by all users of your implementation.

To view a list of your jobs, open the Jobs page in Splunk Web.

  1. In Splunk Web, select Activity > Jobs.

5.0-Job Mgr Link b.png

The Jobs page displays a list of search jobs. Search jobs displayed in the Jobs page list include:

  • Jobs resulting from searches or pivots that you have recently run manually.
  • Jobs that are artifacts of searches that are run when dashboards are loaded.
  • Jobs that are artifacts of scheduled searches (searches that are designed to run on a regular interval).
  • Jobs that have been saved.
    • You can save a search job manually via the Jobs page.
    • Search jobs are also saved automatically when you manually send a search to the background before it completes or you finalize it.

Note: If a job is canceled while you have the Jobs page open it can still appear in the Jobs page list, but you won't be able to view its results. If you close and reopen the Jobs page, the canceled job should disappear.

Search job lifetimes

Search jobs remain in the Jobs page until they are automatically deleted by the Splunk software. The default lifetime for a search job depends on whether the job is an artifact of a search that was launched manually, or is an artifact of a scheduled search.

Jobs from ad hoc searches and dashboard loads

When you manually run a search and the search is finalized or completes on its own, the resulting search job has a default lifetime of 10 minutes. Search jobs from searches that are artifacts of dashboard panel loads also have a 10 minute lifetime.

You can extend a search job's expiration time to 7 days by saving it. You can save a search job two ways: you can open the Jobs page and save the search job manually, or you can save the search job by sending it to the background while the search is still running.

In Splunk Enterprise, if you want to increase or decrease the retention time for saved jobs, go to limits.conf and change the default_save_ttl value for the [search] stanza to a number that is more appropriate for your needs. The acronym TTL stands for "time to live." If you are using Splunk Cloud and want to change the retention time for saved jobs, open a Support ticket.

Whenever you view the results of a search job (in other words, whenever you click its link in the Jobs page to bring up its results in another window) its expiration time is reset so that it is retained for 7 days from the moment when you accessed it.

Search jobs from scheduled searches

Scheduled searches launch search jobs on a regular interval. By default, such jobs will be retained for the interval of the scheduled search multiplied by two. So if the search runs every 6 hours, the resulting jobs will expire in 12 hours.

In Splunk Enterprise, you can change the default lifespan for jobs resulting from a specific scheduled search. To do this, go to savedsearches.conf, locate the scheduled search in question, and change its dispatch.ttl setting to a different interval multiple. If you are using Splunk Cloud and want to change this default, open a Support ticket.

Jobs page controls

Jobspage.png

Use the controls on the Jobs page to:

  • See a list of the jobs you've recently dispatched or saved for later review and use it to compare job statistics (run time, total count of events matched, size, and so on). If you have the Admin role or a role with equivalent or greater capabilities you will see all jobs that have been recently dispatched for your Splunk deployment.
  • Check on the progress of ongoing jobs that are running in the background (this includes both real-time searches and long-running historical searches) or jobs dispatched by scheduled searches.
  • Save, pause, resume, finalize, and delete search or pivot jobs, either individually or in bulk. Select the checkbox to the left of the job(s) you want to act on and click the relevant button at the bottom of the page.
  • Click on the search name or search string to view the results associated with a specific job. The results will open in a separate browser window.
    • If the job is related to a search that has not yet been saved as a report, you'll see the results in the Search view.
    • If the job is related to a report, Splunk Web will open the report and display the results there.
  • The Expires column tells you how much time each list job has before it is deleted from the system. If you want to be able to review a search job after that expiration point, or share it with others, save it. Keep in mind, however, that jobs will still expire 7 days after they are saved (unless you view the job directly during that 7 day period, in which case the expiration clock is reset). See "Search job lifespans," above, for more information.

In Search, you can save the last search or report job you ran without accessing the Jobs page, as long as the job hasn't already expired:

  • If you want to save a search job after running a search in the Search view, click Job and select Edit Job Settings to bring up the Job Settings dialog. Here you can set the job's Read Permissions (set them to Everyone if you want to share it with others), set the job's Lifetime to 7 days if you want to keep it for inspection, and get a Link To Job that you can use to share the job with others (if you've set its Permissions to Everyone).

Note: When you set a job's Lifetime to 7 days, the job is deleted after 7 days elapses unless it is viewed again. If it is viewed, its lifetime resets to 7 days from the moment that it is accessed.

  • You can also save a search job that you've run manually by clicking the Send to Background icon while the search is still running. This action automatically extends the job's lifetime to 7 days and sets its permissions to Everyone. Splunk Web also provides a link that you can use to share the job with others.

For more information, see About jobs and job management in this manual.

PREVIOUS
Saving and sharing jobs in Splunk Web
  NEXT
Using the Search Job Inspector

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters