Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Perform actions on running searches

Splunk provides a set of controls that you can use to manage "in process" searches and create reports and dashboards.

Control search job progress

After you launch a search, you can access and manage information about the search's job without leaving the Search page. Once your search is running, paused, or finalized, click Job and choose from the available options there.

6.0 searchjob progress.png

You can:

  • Edit the job settings. Select this to open the Job Settings dialog, where you can change the job read permissions, extend the job lifetime, and get a URL for the job that you can use to share the job with others or put a link to the job in your browser's bookmark bar.
  • Send the job to the background. Select this if the search job is slow to complete and you would like to run the job in the background while you work on other Splunk activities (including running a new search job).
  • Inspect the job. Opens a separate window and display information and metrics for the search job using the Search Job Inspector. You can select this action while the search is running or after it completes. For more information, see Using the Search Job Inspector in this manual.
  • Delete the job. Use this to delete a job that is currently running, is paused, or which has finalized. After you have deleted the job you can still save the search as a report.

For more information, see About jobs and job management in this manual.

Change the search mode

The Search mode controls the search experience. You can set it to speed up searches by cutting down on the event data it returns (Fast mode), or you can set it to return as much event information as possible (Verbose mode). In Smart mode (the default setting) it automatically toggles search behavior based on the type of search you're running.

6.0 searchmode.png

This is discussed in more detail in the next topic, "Set search mode to adjust your search experience".

Save the results

The Save as menu lists options for saving the results of a search as a Report, Dashboard Panel, Alert, and Event type.

6.0 save as options.png

  • Report: If you would like to make the search available for later use, you can save it as a report. You can run the report again on an ad hoc basis by finding the report on the Reports listing page and clicking its name. Read more about how to "Create and edit reports" in the Reporting Manual.
  • Dashboard Panel...: Click this if you'd like to generate a dashboard panel based on your search and add it to a new or existing dashboard. Learn more about dashboards in "Dashboards and Forms" and "About the Dashboard Editor." Both topics are in the Dashboards and Visualizations manual.
  • Alert Click to define an alert based on your search. Alerts run saved searches in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see "About alerts" in the Alerting Manual.
  • Event Type Event types let you classify events that have common characteristics. If the search doesn't include a pipe operator or a subsearch , you can use this to save it as an event type. For more information, see "About event types" and "Define and maintain event types in Splunk Web" in the Knowledge Manager manual.

Other search actions

Between the job progress controls and search mode selector are three buttons which enable you to Share, Export, and Print the results of a search.

  • Click Share to share the job. When you select this, the job's lifetime is extended to 7 days and read permissions are set to Everyone.
  • Click Export to export the results. You can select to output to CSV, raw events, XML, or JSON and specify the number of results to export.
  • Click Print to send the results to a printer that has been configured.

Additionally, use the Close button next to Save as menu to cancel the search and return to Splunk Home.

Last modified on 11 January, 2016
What's in Splunk Search
Set search mode to adjust your search experience

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters