savedsearches.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
savedsearches.conf
savedsearches.conf stores saved searches and their associated schedules and alerts.
savedsearches.conf.spec
# This file contains possible attribute/value pairs for saved search entries in savedsearches.conf.
# You can configure saved searches by creating your own savedsearches.conf.
#
# There is a default savedsearches.conf in $SPLUNK_HOME/etc/bundles/default. To set custom
# configurations, place a savedsearches.conf in your own custom bundle directory.
# For examples, see savedsearches.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#******************************************************************************
# The possible attribute/value pairs for savedsearches.conf are:
#******************************************************************************
[<stanza name>]
* Name of the saved search stanza.
* Follow this stanza name with any number of the following attribute/value pairs.
query = <string>
* Actual query terms of the saved search.
* For example index::sampledata http NOT 500.
* Your query can include macro searches for substition.
* To create a macro search, read the documentation at:
http://www.splunk.com/doc/latest/admin/MacroSearch
userid = <integer>
* UserId of the user who created this saved search
* Possible values: Any Splunk user ID. User IDs are found in $SPLUNK_HOME/etc/passwd
role = <string>
* Role (from authorize.conf that this saved search is shared with.
* Anyone that is a member of that role will see the saved search in their dashboard.
#******************************************************************************
# Alerting options
#******************************************************************************
counttype = <string>
* Set the type of count for alerting.
* Possible values: number of events, number of hosts, number of sources, number of sourcetypes.
relation = <string>
* How to compare against counttype.
* Possible values: greater than, less than, equal to, drops by, rises by.
quantity = <integer>
* Number to compare against the given counttype.
schedule = <string>
* Cron style schedule (i.e. */12 * * * *).
action_script = <string>
* Your search can trigger a shell script.
* Specify the name of the shell script to run.
* Place the script in $SPLUNK_HOME/bin/scripts.
* Command line arguments passed to the script are:
# $1 - number of events returned when search run.
# $2 - searched terms saved at the time saved search was created.
# $3 - fully qualified query string, the way query is run internally.
# $4 - saved search name.
# $5 - trigger reason for the alert.
# $6 - encoded http link to the saved search results.
# $7 - tags that have been saved against this saved search, if there are any.
# $8 - file where the results for this search are stored (contains raw results).
# value - file script name.
action_rss = <integer>
* Toggle whether or not to create an RSS link.
* Possible values: 1/0 (1 to create, 0 to disable).
action_email = <string>
* Comma delimited list of email addresses to send alerts to.
sendresults = <integer>
* Whether or not to send the results along with the email/shell script.
* Possible values: 1/0 (1 to send, 0 to disable).
execDelay = <integer>
* Amount of time (in seconds) from most recent event to the execution of the scheduled search query.
* Defaults to 0.
maxresults = <integer>
* The maximum number of results the entire query pipeline can generate.
* NOTE: this is different from the deprecated search command "maxresults."
* Defaults to 50000.
#******************************************************************************
# Viewstate settings
# Previously set in prefs.conf; as of 3.1 can be set in savedsearches.conf.
#******************************************************************************
viewstate.resultView = reportView
* The UI state for a saved search.
* Can be either normalView or reportView.
* normalView returns the SplunkWeb search interface.
* reportView returns the report interface.
viewstate.chart.plotMode = column
* Set the plot mode for a chart returned by a saved search.
* Only valid when viewstate.resultView == reportView
* Possible values: area, axis, bubble, column, donut, heatmap, legend, line, pie, scatte,
stackedarea, stackedcolumn.
viewstate.prefs.selectedKeys = source host sourcetype
* Space-delimited list of field to use.
* Always auto-generated, but can be edited after the fact to include new fields.
#******************************************************************************
# The following are flash chart formatting options that are auto-generated.
# DO NOT EDIT.
viewstate.chart.formatting.dateTimeFormat = %m/%d/%Y %H:%M:%S
viewstate.chart.formatting.height = 300
viewstate.chart.formatting.padding.bottom = 10
viewstate.chart.formatting.padding.left = 0
viewstate.chart.formatting.padding.right = 0
viewstate.chart.formatting.padding.top = 20
viewstate.chart.formatting.textColor = 3355443
viewstate.chart.formatting.width = 852
savedsearches.conf.example
# This file contains example saved searches and alerts. # # To use one or more of these configurations, copy the configuration block into # savedsearches.conf in your own custom bundle. # # For help creating a bundle directory, or to learn more about bundles (including bundle precedence) # please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig. # The following searches are example searches. To create your own search, modify # the values by following the spec outlined in savedsearches.conf.spec. [Invalid 3months notshared db test2] action_rss = 0 query = * Invalid startmonthsago=3 schedule = */60 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [bus error 15min email notshared db test5 ] action_email = my_email@splunk.com action_rss = 0 counttype = number of hosts quantity = 5 query = * error Bus startminutesago=15 relation = greater than schedule = */12 * * * * sendresults = 1 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [kCGError 3months shared db test1] action_rss = 0 query = * kCGErrorIllegalArgument startmonthsago=3 role = Everybody schedule = */60 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [normal shutdown 1month shareda nodb scheduled gt3 midnight test3] action_rss = 0 counttype = number of events enableSched = 1 quantity = 3 query = * Scheduler shutting down normally startmonthsago=1 relation = greater than role = Admin schedule = 0 0 * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [syslog not responding 15min shared rss] action_rss = 1 counttype = always query = * sourcetype="syslog" not responding startminutesago=15 role = Everybody schedule = */12 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype ### Scripted searches # The following search calls a script and sends an RSS feed. It runs every minute, Monday through # Friday and alerts (eg sends RSS and triggers the script splunk.sh) every time the count of events # returned by the search rises by 100. [splunk_script] query = eventtype = attack OR eventtype = deny action_script = splunk.sh action_rss = 1 counttype = number of events relation = rises by quantity = 100 schedule = */60 * * * 1-5 sendresults = 1 isGlobal = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.