Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About jobs and job management

Each time you run a search, create a pivot, open a report, or load a dashboard panel, Splunk Enterprise creates a job in the system. This job contains the event data returned by that search, pivot, report, or panel. The Jobs page enables you to review and oversee your recently dispatched jobs, as well as those you may have saved earlier. In addition, if you have the Admin role or a role with equivalent capabilities, you can use the Jobs page to manage the jobs of all users in the system.

Access the Jobs page by clicking the Jobs link in the Activity drop down.

5.0-Job Mgr Link b.png

For more information about using the Jobs page, see Supervise jobs with the Jobs page in this manual.

You can also manage jobs through the command line of your operating system. For more information, see Manage search jobs from the OS in this manual.

Note: Just to be clear, search jobs are not the same as saved searches and saved reports. Reports contain data used to run those reports, such as search strings, time ranges, and the formatting for chart or table visualizations. Jobs are artifacts of previously run searches and reports. They contain the results of a particular run of a search or report. Jobs are dispatched by scheduled searches as well as manual runs of searches and reports.

For more information about saving searches as reports see Create and edit reports in the Reporting Manual.

Restrict the jobs users can run

The way to restrict how many jobs a given user can run, and how much space their job artifacts can take up is to define a role with these restrictions and assign them to it. You can apply a high level of granularity by giving unique roles to each user in your system.

Create a copy of the authorize.conf file that is in the Admin Manual. Place the copy of file in the $SPLUNK_HOME/etc/system/local directory. In the authorize.conf file, specify appropriate values for:

  • srchDiskQuota: Maximum amount of disk space (MB) that search jobs can use, for a user that belongs to this role.
  • srchJobsQuota: Maximum number of concurrently running searches that a user of this role can have.

For more information, refer to Add and edit roles in the Securing Splunk Enterprise manual.

Autopause long-running jobs

To handle inadvertently long-running search jobs, Splunk Enterprise provides an autopause feature. The feature is enabled by default only for summary dashboard clicks, to deal with the situation where users mistakenly initiate "all time" searches.

When autopause is enabled for a particular search view, the search view includes an autopause countdown field during a search. If the search time limit has been reached, an information window will appear to inform the user that the search has been paused. It offers the user the option of resuming or finalizing the search. By default, the limit before autopause is 30 seconds.

Autopause popup.png

Auto-pause is configurable only by view developers. It is not a system-wide setting nor is it configurable by role. The autopause feature can be enabled or disabled by editing the appropriate view. See How to turn off autopause in the Developing Views and Apps for Splunk Web manual. Also, see the host, source, and sourcetypes links on the summary dashboard for examples of autopause implementation.

Last modified on 11 January, 2016
Identify and group events into transactions
Extending job lifetimes

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters