Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stop search when user leaves dashboard

garfieldconnoll
Explorer
‎09-19-2010 06:54 PM

Hi,

I'm sure I've come across it, but I didn't bookmark at the time.

What is the parameter to stop the search behind a dashboard, when the user navigates away from the dashboard?

So, if I have users flitting around between dashboards, I want to stop the search if they navigate away from the dashboard before the search completes.

Make sense?

Thanks for any and all advice.

Regards,

Garfield.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-19-2010 08:02 PM

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like: 

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-19-2010 08:02 PM

Short answer is that you dont really need one.

There's an argument called autocancel that the web interface sends to the splunk search API when a search is dispatched. The value sent is a number of seconds and Im not sure but I think we send autocancel=90 by default.

This argument says that when the search is running, if that many seconds go by without any requests to the job's assets, or without anyone hitting the /touch endpoint on the job, then the job will be cancelled.

This cancellation will not apply if either a) the job manages to finish during that time or b) someone 'saved' the results of the job or backgrounded the job, or c) some other view took over the responsibility of hitting endpoints for that running job.

That said, if that's not enough and you really dont want these unattended searches to run for even 90 seconds, there is something you can do. In the Advanced XML you can put a parameter on the <view> tag that looks like: 

<view onUnloadCancelJobs="True">

And then when anyone leaves that view jobs will be explicitly cancelled EXCEPT for a) jobs that were saved by the user in that view, b) jobs that were dispatched by splunk as a part of a scheduled saved search.

I would think that simplified XML dashboards set this to True as well but I could be wrong.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...