Actions

Let's inspect the elements on this page. Below the Search bar, we have the event count, action icons, and menus:

Starting from the left, we have the following:

• The number of events matched by the base search. Technically, this may not be the number of results pulled from disk, depending on your search. Also, if your query uses commands, this number may not match what is shown in the event listing.
• Job: It opens the Search job inspector window, which provides very detailed information about the query that was run.
• Pause: It causes the current search to stop locating events but keeps the job open. This is useful if you want to inspect the current results to determine whether you want to continue a long-running search.
• Stop: This stops the execution of the current search but keeps the results generated so far. This is useful when you have found enough and want to inspect or share the results found so far.
• Share: It shares the search job. This option extends the job's lifetime to seven days and sets the read permissions to everyone.
• Print: This formats the page for printing and instructs the browser to print.
• Export: It exports the results. Select this option to output to CSV, raw events, XML, or JavaScript Object Notation (JSON) and specify the number of results to export.
• Smart mode: This controls the search experience. You can set it to speed up searches by cutting down on the event data it returns and additionally by reducing the number of fields that Splunk will extract by default from the data (Fast mode). You can otherwise set it to return as much event information as possible (Verbose mode). In Smart mode (the default setting), it toggles search behavior based on the type of search you're running.