About jobs and job management
Each time you run a search, create a pivot, open a report, or load a dashboard panel, Splunk Enterprise creates a job in the system. This job contains the event data returned by that search, pivot, report, or panel. The Jobs page enables you to review and oversee your recently dispatched jobs, as well as those you may have saved earlier. In addition, if you have the Admin role or a role with equivalent capabilities, you can use the Jobs page to manage the jobs of all users in the system.
Access the Jobs page by clicking the Jobs link in the Activity drop down.
For more information about using the Jobs page, see Supervise jobs with the Jobs page in this manual.
You can also manage jobs through the command line of your operating system. For more information, see Manage search jobs from the OS in this manual.
Note: Just to be clear, search jobs are not the same as saved searches and saved reports. Reports contain data used to run those reports, such as search strings, time ranges, and the formatting for chart or table visualizations. Jobs are artifacts of previously run searches and reports. They contain the results of a particular run of a search or report. Jobs are dispatched by scheduled searches as well as manual runs of searches and reports.
For more information about saving searches as reports see Create and edit reports in the Reporting Manual.
Restrict the jobs users can run
The way to restrict how many jobs a given user can run, and how much space their job artifacts can take up is to define a role with these restrictions and assign them to it. You can apply a high level of granularity by giving unique roles to each user in your system.
Create a copy of the
authorize.conf file that is in the Admin Manual. Place the copy of file in the
$SPLUNK_HOME/etc/system/local directory. In the
authorize.conf file, specify appropriate values for:
srchDiskQuota:Maximum amount of disk space (MB) that search jobs can use, for a user that belongs to this role.
srchJobsQuota: Maximum number of concurrently running searches that a user of this role can have.
For more information, refer to Add and edit roles in the Securing Splunk Enterprise manual.
Autopause long-running jobs
To handle inadvertently long-running search jobs, Splunk Enterprise provides an autopause feature. The feature is enabled by default only for summary dashboard clicks, to deal with the situation where users mistakenly initiate "all time" searches.
When autopause is enabled for a particular search view, the search view includes an autopause countdown field during a search. If the search time limit has been reached, an information window will appear to inform the user that the search has been paused. It offers the user the option of resuming or finalizing the search. By default, the limit before autopause is 30 seconds.
Auto-pause is configurable only by view developers. It is not a system-wide
setting nor is it configurable by role. The autopause feature can be enabled or disabled by editing the appropriate view. See How to turn off autopause in the Developing Views and Apps for Splunk Web manual. Also, see the
host, source, and
sourcetypes links on the summary dashboard for examples of autopause implementation.
Identify and group events into transactions
Extending job lifetimes
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14