Saved Splunks & Live Splunks
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Saved Splunks & Live Splunks
Saved Splunks
A Saved Splunk is a bookmarked search you can run again to get the latest results.
Create a Saved Splunk
To create a Saved Splunk, browse to the menu option Splunks -> Save.
![[1]](http://www.splunk.com/themes/splunk_com/includes/splunk_docs/images/user/splunkSave.png){kind=link}
Run a Saved Splunk
To run a Saved Splunk, choose it from the Splunks -> Saved Splunks menu, or type savedsplunk::stmperrors into the Splunk box to run the Saved Splunk named smtperrors.
![[2]](http://www.splunk.com/themes/splunk_com/includes/splunk_docs/images/user/splunksUnsuccessful.png){kind=link}
Live Splunks
(Splunk Professional only)
Live Splunks are Saved Splunks scheduled to run automatically at regular intervals, just like a cron job. A Live Splunk can be configured to search in a specific time period to show events since the last time the scheduled search was run. If matching events are found, an alert is generated. Only Admin and Power level users can create or modify Live Splunks.
Create a Live Splunk
First, create a Saved Splunk with the correct search parameters.
Then, go to the Admin section and click on the Splunks tab. Click on Live Splunks, then click on Add to create a new Live Splunk. Set the "Run every" frequency and the initial start time. If you do not set a start time, the default behavior is for your Live Splunk to start five minutes after you create it.
Click on "Show advanced time range options" to configure the time period to search for matching events. The default is to search the previous interval specified in "Run every". This means if you set your Live Splunk to run every 30 minutes, the default time range is the 30 minutes immediately preceding the scheduled time.
![[3]](http://www.splunk.com/themes/splunk_com/includes/splunk_docs/images/user/liveSplunkEditTime.png){kind=link}
Alerts
If a Live Splunk's results trigger an alert there are four ways it can alert users: the Splunk Server home page, email, RSS and a shell script.
Home page
Whenever you hit your Splunk server's home page, the Live Splunks section lists your Live Splunks (in the order you created them) with the number of alerts, frequency and next run time. The Alert Frequency bar graph shows the percentage of scheduled searches that generated an alert. Click on View Alerts to see a list of all alerts generated by all of your Live Splunks.
If your Splunk Server host has outbound email enabled, Splunk can email an alert that looks like this.
From: livesplunk@splunk.enet.interfoo.net (Joe Admin) Date: November 16, 2005 3:19:23 PM PST To: admin-list@interfoo.net Subject: alert if fewer than 10. Live Splunk http:splunk.enet.interop.net:8000/?events?q=7%318989%32500%20m%69%6e%75t%65sago %3a%3a%310%20doma%69%6e%3a%3ad%65fa%75%6ct%20 triggered with the result : The Number of Events (0) was Less Than 10. Splunk Name : calls home last 10 minutes Query Terms : 7189892500 minutesago::10 index::default Auto-generated by Splunk Professional
RSS
An RSS alert from a Live Splunk looks like this. The link value is a permalink URL to run the Live Splunk now on the server.
<?xml version="1.0"?>
<rss version="2.0">
<channel>
<title>test</title>
<link>http:qa-fc4:8000/?events?q=meta%3a%3aall%20</link>
<description>Live�Splunk Feed for live splunk test</description>
<item>
<title>Query run from 0 To 1134079839</title>
<link>http:qa-fc4:8000/?events?q=meta%3a%3aall%20%20starttimeu%3a%3a0%20endtimeu%3a%3a1134079839</link>
<description> The Number of Events (1000) was Greater Than 1.</description>
<pubDate>1134079840</pubDate>
</item>
</channel>
</rss>
The on-screen appearance of the alert will vary depending on your RSS reader, but generally will include the name of the Live Splunk, the time it was run, the rule which caused it to send an alert, and a link to run the splunk yourself.
You can also attach the results of the Live Splunk to the notice. If you use the report:: feature to create a report table, it will attach the report.
Shell Script
A Live Splunk can call an alert shell script that you specify in the interface. Splunk will pass five arguments to your script:
- $1 - A results summary in XML.
- $2 - The search terms for the Live Splunk.
- $3 - The fully qualified query string for the Live Splunk.
- $4 - The name of the Live Splunk.
- $5 - The reason the Live Splunk triggered an alert.
Note: Versions 2.1 and 2.1.1 are currently only passing the first two variables. This is a known issue that will be resolved in version 2.1.2
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.