Splunk Search

Stop search when user leaves dashboard

garfieldconnoll
Explorer

Hi,

I'm sure I've come across it, but I didn't bookmark at the time.

What is the parameter to stop the search behind a dashboard, when the user navigates away from the dashboard?

So, if I have users flitting around between dashboards, I want to stop the search if they navigate away from the dashboard before the search completes.

Make sense?

Thanks for any and all advice.

Regards,

Garfield.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like:

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like:

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...