Solved: Re: Stop search when user leaves dashboard

garfieldconnoll · ‎09-19-2010

Hi,

I'm sure I've come across it, but I didn't bookmark at the time.

What is the parameter to stop the search behind a dashboard, when the user navigates away from the dashboard?

So, if I have users flitting around between dashboards, I want to stop the search if they navigate away from the dashboard before the search completes.

Make sense?

Thanks for any and all advice.

Regards,

Garfield.

sideview · ‎09-19-2010

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like:

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

View solution in original post

sideview · ‎09-19-2010

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like:

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

Stop search when user leaves dashboard

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup