Set up saved searches
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Set up saved searches
Turn any search into a saved search via Splunk Web. You can also save search by editing savedsearches.conf. Test your searches before you save them.
via Splunk Web
Refine the search until you consider it worthy. If you want to limit your search to a specific time period, add a modifier such as daysago:1 or hoursago:4. See the search reference.
Note: Many complex, long running searches may slow down your Splunk instance. Make sure you optimize your searches before saving them in a saved search.
Save your Search
- Click on the drop-down arrow next to the search bar:
- Select Save search...
- Then, fill in the options presented on the save search screen.
- Give your saved search a name.
- Pick a role to share your search with, or leave the drop down as Don't share.
- Optionally add the saved search to any existing dashboard.
- Click the Save button.
Note: All admin level users see all saved searches, whether the user who created it explicitly shared it or not.
Edit saved searches at any time by clicking on the Admin link in the upper right hand corner. Select the Saved Searches tab:
Schedule a saved search
Optionally schedule your Saved Search to run on a schedule by clicking the Schedules & Alerts link.
- Click Run this search on a schedule to enable scheduling.
- Pick basic or cron to specify a schedule for your search.
To turn your search into an alert, see set up alerts via Splunk Web.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.