AgentSkillsCN

Splunk Job

Splunk 作业

SKILL.md

splunk-job

Search job lifecycle orchestration for Splunk.

Purpose

Manage the complete lifecycle of Splunk search jobs including creation, monitoring, control actions (pause/cancel/finalize), and cleanup.

Risk Levels

OperationRiskNotes
Get job status-Read-only
List jobs-Read-only
Create job-Easily reversible via cancel
Pause/unpause job⚠️Can be undone
Finalize job⚠️Returns partial results
Cancel job⚠️Stops execution
Delete job⚠️⚠️Removes job and results

Triggers

  • "job", "search job", "SID"
  • "status", "progress", "state"
  • "cancel", "pause", "unpause", "finalize"
  • "list jobs", "delete job"

Job States (dispatchState)

code
QUEUED → PARSING → RUNNING → FINALIZING → DONE
                                        → FAILED
                 → PAUSED (on pause action)
StateDescription
QUEUEDJob waiting in queue
PARSINGSPL being parsed
RUNNINGSearch executing
FINALIZINGResults being finalized
DONECompleted successfully
FAILEDError occurred
PAUSEDPaused by user

CLI Commands

CommandDescription
job createCreate search job, return SID
job statusGet dispatchState, progress, stats
job pollWait for job completion with timeout
job cancelIssue /control/cancel action
job pauseIssue /control/pause action
job unpauseIssue /control/unpause action
job finalizeIssue /control/finalize action
job ttlSet job time-to-live
job touchTouch a job to extend its TTL
job listList all search jobs for user
job deleteRemove job from dispatch directory

Examples

Create and Monitor Job

bash
# Create job
splunk-as job create "index=main | stats count by sourcetype" --earliest -1h
# Output: Job created: 1703779200.12345

# Check status
splunk-as job status 1703779200.12345
# Output: State: RUNNING, Progress: 45%, Events: 12345

# Wait for completion
splunk-as job poll 1703779200.12345 --timeout 300
# Output: Job completed: DONE, Results: 42

Job Control

bash
# Pause running job
splunk-as job pause 1703779200.12345

# Resume paused job
splunk-as job unpause 1703779200.12345

# Cancel job
splunk-as job cancel 1703779200.12345

# Finalize (stop and return current results)
splunk-as job finalize 1703779200.12345

Job Management

bash
# List all jobs
splunk-as job list
# Output: Table of active jobs with status

# Extend TTL (positional arg: SID TTL_VALUE)
splunk-as job ttl 1703779200.12345 3600

# Delete job
splunk-as job delete 1703779200.12345

API Endpoints

EndpointMethodDescription
/services/search/v2/jobsPOSTCreate job
/services/search/v2/jobs/{sid}GETGet job status
/services/search/v2/jobs/{sid}/controlPOSTControl actions
/services/search/jobsGETList jobs
/services/search/jobs/{sid}DELETEDelete job

Control Actions

python
# Available actions for /control endpoint
actions = ['cancel', 'pause', 'unpause', 'finalize', 'touch', 'setttl', 'enablepreview', 'disablepreview']

# POST /services/search/v2/jobs/{sid}/control
# data={'action': 'cancel'}

Job Properties

PropertyDescription
sidSearch job ID
dispatchStateCurrent state
doneProgressCompletion 0.0-1.0
eventCountEvents scanned
resultCountResults produced
scanCountBuckets scanned
runDurationExecution time
ttlTime to live
isFailedFailure flag
isPausedPause flag

Best Practices

  1. Always set time bounds in the search query
  2. Use appropriate timeout for poll_job.py
  3. Cancel jobs when results are no longer needed
  4. Monitor progress for long-running searches
  5. Extend TTL for jobs you need to keep

Related Skills