Splunk® Enterprise

Search Manual

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Search actions

Splunk software provides a set of controls that you can use to manage "in process" searches and to create reports and dashboards.

Control search job progress

After you launch a search, you can access and manage information about the search job without leaving the Search view.

  1. After your search is running, paused, or finalized, click Job from the Search actions group.
    This image shows the options on the Job drop down list. The options are described in the following text.
  2. Select an option from the list.
    • Edit job settings. Opens the Job Settings dialog, where you can change the read permissions for the job, extend the job lifespan, and get a URL for the job. You can use the URL to share the job with others or to add a bookmark to the job in your Web browser.
    • Send job to the background. Runs the job on the background. Use this option if the search job is slow to complete. This enables you to work on other activities, including running a new search job.
    • Inspect job. Opens the Search Job Inspector window and displays information and metrics about the search job. You can select this action while the search is running or after the search completes. For more information, see View search job properties.
    • Delete job. Deletes the current job, even if that job is running, paused, or has finalized. After you delete the job you can still save the search as a report.

For more information, see About jobs and job management.

Change the search mode

The search mode controls the search experience. The default search mode is Smart Mode.

Fast Mode
Speeds up searches by cutting down on the amount of event information that the search returns.
Verbose Mode
Returns as much event information as possible.
Smart Mode
Automatically toggles the search behavior between Fast Mode and Verbose Mode, based on the type of search that you are running.

This image shows the three search modes: Fast, Smart, Verbose. The Fast mode turns off field discovery for event searches. The field and event data is turned off for searches with the stats command. The Smart mode turns on field discovery for event searches. The Verbose mode returns all field and event data.

For more information, see Search modes in this manual.

Save the results

The Save as menu lists options for saving the results of a search as a report, dashboard panel, alert, and event type.

This screen image shows the Save As drop-down list of save options. The options are described in the following text.

Report
Saves a search as a report to use the search again later. You can run the report again from the Reports page. You access the Reports page from the App bar. Read more about how to Create and edit reports in the Reporting Manual.
Dashboard Panel
Generates a dashboard panel based on your search and add it to a new or existing dashboard. To learn more, see the Dashboard overview in the Dashboards and Visualizations manual.
Alert
Defines an alert based on your search. An alert runs a report in the background (either on a schedule or in real time). When the search returns results that meet a condition you have set in the alert definition, the alert is triggered. For more information, see the Alerting Manual.
Event Type
Classify events that have common characteristics. If the search does not include a pipe operator or a subsearch, you can use this option to save the search as an event type. For more information, see About event types and Define event types in Splunk Web in the Knowledge Manager manual.

Other search actions

Between the job progress controls and search mode selector are three buttons which enable you to Share, Export, and Print the results of a search.

  • Click Share to share the job. When you select this, the job's lifetime is extended to 7 days and read permissions are set to Everyone. For more information about jobs, see About jobs and job management in this manual.
  • Click Export to export the results. You can select to output to CSV, raw events, XML, or JSON and specify the number of results to export.
  • Click Print to send the results to a printer that has been configured.

Additionally, use the Close button next to Save as menu to cancel the search and return to Splunk Home.

See also

About the Search app
Last modified on 17 May, 2023
Help reading searches   Search modes

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters