Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Manage search jobs

You can use the Jobs page to review and manage any job that you own.

If you have the Admin role, or a role with an equivalent set of capabilities, you can manage the search jobs run by all users of your Splunk implementation.

  1. In Splunk Web, to view a list of your jobs select Activity > Jobs. This opens the Jobs page.

This screen image shows the Jobs page. This example shows several search jobs. Each search job has several actions: Inspect, Save, and Delete. There are buttons with other options at the bottom of the page.

The Jobs page displays a list of different types of search jobs.

  • Jobs resulting from ad hoc searches or pivots that you have recently run manually.
  • Jobs for searches that are run when dashboards are loaded.
  • Jobs for scheduled searches.

Search job lifespans

A search job remains on the Jobs page list until the job expires and is automatically deleted by the Splunk software. The default lifespan for a search job depends on whether the search job is an artifact of an unscheduled or scheduled search.

For example, dashboard panels are created from saved searches. When you open a dashboard, the saved searches run and populate the panels with the latest information. These searches are unscheduled.

Unscheduled searches Scheduled searches
Reports that you run manually Scheduled reports
Real-time alerts Scheduled alerts
Ad hoc searches that you run in the Search bar
Dashboard panels that are based on a saved search, such as an ad hoc search, a report, or a pivot

The list of jobs in the Jobs page does not automatically refresh.

  • Jobs that are created after you display the Jobs page are not visible until you reload the Jobs page.
  • If a job expires while you have the Jobs page open, the job appears in the Jobs page list, but you cannot view the job results. Reload the Jobs page.

Job lifetimes for unscheduled searches

When you run an ad hoc search and the search is finalized or completes on its own, the resulting search job has a default lifetime of 10 minutes. When you open a dashboard panel, a search runs to populate the panel. Search jobs from opening dashboard panels also have 10 minute lifetimes.

You can extend the expiration time for a search job to 7 days by saving the search job using one of these methods.

  • Open the Jobs page and save the search job manually
  • Save the search job by sending it to the background while the search is still running


Whenever you view the results of a search job, the expiration time is reset so that the search job is retained for 7 days from the moment you access the job.

When you click a search job link in the Jobs page, the results from the search job appear in another window.

Change the default lifetime value for unscheduled searches

In Splunk Enterprise, you can change the default value for the job lifetime for unscheduled searches.

  1. Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. See How to edit a configuration file in the Admin manual.
  3. In the [search] stanza, change the default_save_ttl value to a number that is appropriate for your needs. The acronym TTL is an abbreviation for "time to live."

If you are using Splunk Cloud and want to change the default job lifetime value for unscheduled searches, open a Support ticket.

Job lifetimes for scheduled searches

Scheduled searches launch search jobs on a regular interval. By default, these jobs are retained for the interval of the scheduled search multiplied by two. For example, if the search runs every 6 hours, the resulting jobs expire in 12 hours.

Change the default lifetime value for scheduled searches

In Splunk Enterprise, you can change the default lifetime for jobs resulting from a specific scheduled search.

  1. Open the local savedsearches.conf file. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. See How to edit a configuration file in the Admin manual.
  3. Locate the scheduled search, and change the dispatch.ttl setting to a different interval multiple.

If you are using Splunk Cloud and want to change the default job lifetime value for scheduled searches, open a Support ticket.

Search job actions

From the Jobs page you can perform many actions on a search job.

This screen image shows the Jobs page. This example shows several search jobs. Each search job has several actions: Inspect, Save, and Delete. There are buttons with other options at the bottom of the page.

View and compare jobs

You can see a list of the jobs you have recently dispatched or saved for later review. Use the list to compare job statistics such as run time, total count of events matched, size, and so on.

If you have the Admin role, or a role with equivalent or greater capabilities, you will see all of the jobs that have been recently dispatched for your Splunk deployment.

Check the progress of ongoing jobs

Use the Status column to check on the progress of ongoing jobs. The Status column shows the percent of the events that have been processed. Current jobs have a status of Running. Jobs that are running in the background have a status of Backgrounded.

You can check on jobs that are dispatched by scheduled searches, real-time searches, and long-running historical searches.

Save, pause, resume, finalize, and delete jobs

Use the buttons at the bottom of the Jobs page to save, pause, resume, finalize, and delete search or pivot jobs. You can perform these actions on an individual job, or on multiple jobs at one time.

  1. Select the checkbox to the left of the jobs you want to act on.
  2. Click the relevant button at the bottom of the page.

View search results

  1. Click on the search name or search string to view the results associated with a specific job.
The results open in a separate browser window.
  • If the job is related to a search that has not yet been saved as a report, the results appear in the Search view.
  • If the job is related to a report, Splunk Web opens the report and display the results there.

Determine how long before a job expires

The Expires column tells you how much time each job has before the job is deleted from the system. To review a search job after that expiration point, or to share the job with others, save the job.

Keep in mind, that jobs will still expire 7 days after they are saved unless you view the job directly during that 7 day period. See Extending job lifetimes.

In the Search app, you can save the last search or report job you ran without accessing the Jobs page, as long as the job hasn't already expired. See About jobs and job management.

Send a job to the background

You can also save a search job that you have run manually by clicking the Send to Background icon while the search is still running. This action automatically extends the job's lifetime to 7 days and sets its permissions to Everyone. Splunk Web also provides a link that you can use to share the job with others.

PREVIOUS
Share jobs and export results
  NEXT
Inspect search job properties

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters