savedsearches.conf

savedsearches.conf

Savedsearches.conf stores saved searches and their associated schedules and alerts.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/savedsearches.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/savedsearches.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

How to read a savedsearches.conf file

If you are having trouble getting your alerts to work correctly, you can always look at your configuration directly to see what Splunk thinks your saved search is set up to do. Here's a sample entry:

[sudoalert]
action_rss = 1
counttype = number of events
disabled = false
enableSched = 1
isGlobal = 0
quantity = 0
query = sudo
relation = greater than
schedule = */12 * * * *
sendresults = 0
userid = 1
nextrun = 1187116073

This configuration runs the saved search called "sudoalert" ([sudoalert], query = sudo) every 5 minutes (enableSched = 1, schedule = */12 * * * *), with the next one being at 1187116073, or Tue, 14 Aug 2007 18:27:53 GMT. It looks for number of events (counttype = number of events) greater than 0 (quantity = 0) and creates an RSS feed (action_rss = 1). It's owned by userid 1 (which is usually admin) and is not shared (isGlobal = 0).

If the instance were using LDAP authentication, you would see a username ("admin") rather than a number. In the UI, you would see the schedule shown as "Every 5 minutes" because the cron schedule given matches one of the Basic options. If it didn't, you would instead see the exact cron schedule. Internally, Splunk uses the cron style.

When this search runs, you will see an entry in the splunkd.log like this:

08-15-2007 10:46:34.050 INFO  SavedSplunker - SavedSplunker::sendQuery: Running saved_search='sudoalert' - result='success' - alert='number of events=0 is greater than 0' - triggering - action='no action' - number of events=0

Note In the 3.0 GA build, there is a bug in the cron scheduling where the step interval is incorrectly handled. So for now /12 is every five minutes rather than the /5 as would be expected. Keep this in mind if you are writing cron schedules by hand.

savedsearches.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all the possible values for saved Splunk entries in a
# savedsearches.conf file.
# A configuration looks like:
# [<Splunk name>]
# attribute1 = val1
# ...
[<Splunk name>]
	* Name of the saved Splunk (header)
query = <string>
	* Actual query terms of this saved Splunk (i.e. meta::all)
userid = <integer>
	* UserId that is bound to this Splunk, use "1" for admin
	Possible values: Any Splunk user id.
isglobal = <integer>
	* If isglobal is set to 1, everyone can see/use this Splunk
	Possible values: 1/0.
id = <integer>
	* This saved Splunk ID (ids are in increasing order starting from 0)
	Possible values: [1-MAXINT].
name = <string>
	* Actual displayed name of the saved Splunk.
counttype = <string>
    * Which count to compare the quantity against relation
    Possible values: "number of events", "number of hosts", 
        "number of sources", "number of sourcetypes"
        
relation = <string>
    * How to compare against count
    Possible values: "greater than", "less than", "equal to",
        "drops by", "rises by"
quantity = <integer>
    * Number to compare against the number returned for the given counttype
schedule = <string>
    * Cron style schedule (i.e. */12 * * * *)
action_script = <string>
    * Name of shell script to run 
action_rss = <integer> 
    * Whether or not to create an rss link
    Possible values: 1/0
action_email = <string>
    * Comma delimited list of email addresses to send to
sendresults = <integer>
    * Whether or not to send the results along with the email/shell script
    Possible values: 1/0

• Was this topic useful?
• Post a comment