savedsearches.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
savedsearches.conf
savedsearches.conf stores saved searches and their associated schedules and alerts.
savedsearches.conf.spec
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attribute/value pairs for Saved Splunk entries in a savedsearches.conf file.
# You can configure your own Saved Splunks by creating your own savedsearches.conf
# There is a savedsearches.conf in $SPLUNK_HOME/etc/bundles/default/. To set custom configurations,
# place a savedsearches.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
# Here is an example savedsearches.conf stanza:
# [<Splunk name>]
# attribute1 = val1
# ...
# The possible attribute/value pairs for savedsearches.conf are:
[<stanza name>]
* Name of the Saved Splunk stanza.
query = <string>
* Actual query terms of the Saved Splunk.
* For example index::sampledata http NOT 500
isglobal = <integer>
* Toggle whether this Saved Splunk is shared with all users.
* If isglobal is set to 1, everyone can see/use this Saved Splunk.
* If set to 0, only the user who created the Saved Splunk can see it.
name = <string>
* Actual displayed name of the Saved Splunk.
* This will show in SplunkWeb, and you can search savedsplunk=<string>.
# Alerting options
counttype = <string>
* Set the type of count for alerting.
* Possible values: number of events, number of hosts, number of sources, number of sourcetypes.
relation = <string>
* How to compare against counttype.
* Possible values: greater than, less than, equal to, drops by, rises by.
quantity = <integer>
* Number to compare against the given counttype.
schedule = <string>
* Cron style schedule (i.e. */12 * * * *).
action_script = <string>
* Your search can trigger a shell script.
* Specify the name of the shell script to run.
* Place the script in $SPLUNK_HOME/bin/scripts.
* Command line arguments passed to the script are:
# $1 - number of events returned when search run
# $2 - searched terms saved at the time saved search was created
# $3 - fully qualified query string, the way query is run internally
# $4 - saved search name
# $5 - trigger reason for the alert
# $6 - encoded http link to the saved search results
# $7 - tags that have been saved against this saved search, if there are any.
# $8 - file where the results for this search are stored(contains raw results)
# value: file script name
action_rss = <integer>
* Toggle whether or not to create an RSS link.
* Possible values: 1/0 (1 to create, 0 to disable).
action_email = <string>
* Comma delimited list of email addresses to send alerts to.
sendresults = <integer>
* Whether or not to send the results along with the email/shell script.
* Possible values: 1/0 (1 to send, 0 to disable).
# Viewstate settings
# Previously set in prefs.conf; as of 3.1 can be set in savedsearches.conf.
viewstate.resultView = reportView
* The UI state for a saved search.
* Can be either normalView or reportView.
* normalView returns the SplunkWeb search interface.
* reportView returns the report interface.
viewstate.chart.plotMode = column
* Set the plot mode for a chart returned by a saved search.
* Only valid when viewstate.resultView == reportView
* Possible values: <CA>area, axis, bubble, column, donut, heatmap, legend, line, pie, scatte,
stackedarea, stackedcolumn.
viewstate.prefs.selectedKeys = source host sourcetype
* Space-delimited list of field to use.
* Always auto-generated, but can be edited after the fact to include new fields.
# The following are flash chart formatting options that are auto-generated.
# DO NOT EDIT.
viewstate.chart.formatting.dateTimeFormat = %m/%d/%Y %H:%M:%S
viewstate.chart.formatting.height = 300
viewstate.chart.formatting.padding.bottom = 10
viewstate.chart.formatting.padding.left = 0
viewstate.chart.formatting.padding.right = 0
viewstate.chart.formatting.padding.top = 20
viewstate.chart.formatting.textColor = 3355443
viewstate.chart.formatting.width = 852
savedsearches.conf.example
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0 # # This file contains example Saved Splunks and alerts. # To use one or more of these configurations, copy the configuration block into # savedsearches.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle). # # # The following example is a form search that is not shared with any users and does not run # on a schedule. [foo] action_rss = 0 disabled = false enableSched = 0 isGlobal = 0 query = $foo$ sendresults = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView # The following is an example search for all events, run on a schedule. It will send an # alert to two different email addresses. [all] disabled = 0 enableSched = 1 name = all query = * schedule = */12 * * * * action_email = email1@email.com, email2@email.com viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView ### Scripted searches # The following search calls a script and sends an RSS feed. It runs every minute, Monday through # Friday and alerts (eg sends RSS and triggers the script splunk.sh) every time the count of events # returned by the search rises by 100. [splunk_script] query = eventtype = attack OR eventtype = deny action_script = splunk.sh action_rss = 1 counttype = number of events relation = rises by quantity = 100 schedule = */60 * * * 1-5 sendresults = 1 isGlobal = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.