Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About search actions and modes

This topic explains search actions and search modes that you can use to control your search experience.

6.1 tutorial search actionsandmodes.png

Control search job progress

After you launch a search, you can pause it and stop it using the buttons under the search bar. Also, you can access and manage information about the search's job without leaving the Search page.

6.1 tutorial searchjob controls.png

Click Job and choose from the available options there.

  • Edit job settings. Open the Job Settings dialog box where you can change the job's read permissions, extend the job's lifespan, and get a URL for the job that you can use to share the job with others or put a link to the job in your browser's bookmark bar.
  • Send job to the background. If the search job is slow and you want to run the job in the background while you work on other Splunk Enterprise activities (including running a new search job).
  • Inspect job. Opens a separate window and displays information and metrics for the search job using the Search Job Inspector.
  • Delete job. Delete a job that is running, is paused, or which has finalized. After you delete the job, you can save the search as a report.

See "Saving and sharing jobs in Splunk Web" in the Search Manual.

Change the search mode

The Search mode controls the search experience. You can set it to speed up searches by cutting down on the event data it returns (Fast mode), or you can set it to return as much event information as possible (Verbose mode). In Smart mode (the default setting) it toggles search behavior based on the type of search you're running.

6.1 tutorial searchmode selector.png

See "Set search mode to adjust your search experience" in the Search Manual.

Save the results

The Save as menu lists options for saving the results of a search as a Report, Dashboard Panel, Alert, and Event type.

6.1 tutorial saveas menu.png

Other search actions

Between the job progress controls and search mode selector are buttons that let you Share, Export, and Print the results of a search.

6.1 tutorial search actions.png

  • The Share option shares the search job. This option extends the job's lifetime to seven days and sets the read permissions to Everyone.
  • The Export option exports the results. Output to CSV, raw events, XML, or JSON and specify the number of results to export.
  • The Print option sends the results to a printer that has been configured.

Click Close to cancel the search and return to Splunk Home.

Next steps

Continue to the next topic for a discussion about the format of the search results.

Last modified on 01 February, 2016
About the time range picker
About the search results tabs

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters