Splunk Search

Is there a search or REST command to stop running searches forcefully?

splunk_worker
Path Finder

Hi

I want identify the long running searches who are running more than 5 min and stop them.

I'm able to find the long running searches from this command index=_internal source=scheduler.log run_time=* | table savedsearch_name, user, app, run_time, _time | sort - run_time

But, I'm not able to find what is the way to stop them?
Q1. Is there search command I can use to stop the running searches?
Q2. Do I need to pass this result to script and call REST command to Splunkd to stop the running searches? If yes, what is the REST command to stop the searches?

Please do the needful.

1 Solution

MuS
Legend

Hi splunk_worker,

Yes, there is a REST command to stop a running search.

Use this command to get a list of searches back:

curl -k -u admin:<pwd> https://localhost:8089/services/search/jobs/ | grep '<id>'

You can use the `` URL to cancel/delete this search like this:

curl -k -u admin:<pwd> --request DELETE https://localhost:8089/services/search/jobs/1416293763.77

and get back a response like this:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="INFO">Search job cancelled.</msg>
  </messages>
</response>

For more details have a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/RESTREF/RESTsearchExamples#search.2Fjobs.2F.7Bsear...

If you just need a nice table view of the running jobs, you can do this as well from the Splunk UI using this search:

| rest /services/search/jobs/ | table author, id

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi splunk_worker,

Yes, there is a REST command to stop a running search.

Use this command to get a list of searches back:

curl -k -u admin:<pwd> https://localhost:8089/services/search/jobs/ | grep '<id>'

You can use the `` URL to cancel/delete this search like this:

curl -k -u admin:<pwd> --request DELETE https://localhost:8089/services/search/jobs/1416293763.77

and get back a response like this:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="INFO">Search job cancelled.</msg>
  </messages>
</response>

For more details have a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.0/RESTREF/RESTsearchExamples#search.2Fjobs.2F.7Bsear...

If you just need a nice table view of the running jobs, you can do this as well from the Splunk UI using this search:

| rest /services/search/jobs/ | table author, id

Hope this helps ...

cheers, MuS

damode
Motivator

Hi @MuS,

Whats the Windows equivalent of the above curl command ?
Thanks

0 Karma

MuS
Legend

Hi damode,

there is actually a windows version of curl available here https://curl.haxx.se/download.html or try this one https://superuser.com/questions/344927/powershell-equivalent-of-curl

Not a windows user so cannot be of much help here ¯\_(ツ)_/¯

cheers, MuS

0 Karma

damode
Motivator

Hi MuS,

Thanks for sharing the links.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...