Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

Manage the search experience in Splunk Light

This topic discusses search job actions and search modes you can use to manage your search experience. For example, if your search takes too long to run, you can pause it or stop it.

Select time ranges to apply to your search

Use the time range picker to set time boundaries on your searches. You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time time ranges. You can also specify a Date Range, a Date & Time Range, and use more advanced options for specifying the time ranges for a search.

When you start a new search, the default time range is Last 24 hours. This range helps to avoid running searches with overly-broad time ranges that waste system resources and produce more results than you really need.

Note: If you are located in a different timezone, time-based searches use the timestamp of the event from the Splunk instance that indexed the data.

Search job actions

The search actions are buttons located under the search bar.

While the search is running, you can use the buttons to Pause and Stop the search. Also, you can access and manage information about the search's job without leaving the Search page.

  • Edit job settings. Select this option to open the Job Settings dialog box, where you can change the job's read permissions, extend the job's lifespan, and get a URL for the job that you can use to share the job with others or put a link to the job in your browser's bookmark bar.
  • Send job to the background. Select this option if the search job is slow and you want to run the job in the background while you work on other Splunk Light activities (including running a new search job).
  • Inspect job. Opens a separate window and displays information and metrics for the search job using the Search Job Inspector.
  • Delete job. Use this option to delete a job that is running, is paused, or which has finalized. After you delete the job, you can save the search as a report.

After the search completes, you can also Share, Export, or Print it.

  • The Share option shares the search job. This option extends the job's lifetime to seven days and set the read permissions to Everyone.
  • The Export option exports the results. Select this option to output to CSV, raw events, XML, or JSON and specify the number of results to export.
  • The Print option sends the results to a printer that has been configured.

Search modes

The search mode selector is at the bottom right-hand corner of the search bar. The available modes are Smart Mode (default), Fast Mode, and Verbose Mode:

The Search mode controls the search experience. You can set it to speed up searches by cutting down on the event data it returns (Fast Mode), or you can set it to return as much event information as possible (Verbose Mode). In Smart Mode (the default setting) it toggles search behavior based on the type of search you're running.

The Fast and Verbose modes represent the two ends of the search mode spectrum. The default Smart mode switches between them depending on the type of search that you are running. Whenever you first run a saved search, it will run in Smart mode.

PREVIOUS
About searching and reporting using Splunk Light
  NEXT
Help building searches in Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters