savedsearches.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
savedsearches.conf
savedsearches.conf stores saved searches and their associated schedules and alerts. Use this file to:
savedsearches.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attribute/value pairs for saved search entries in savedsearches.conf.
# You can configure saved searches by creating your own savedsearches.conf.
#
# There is a default savedsearches.conf in $SPLUNK_HOME/etc/system/default. To set custom
# configurations, place a savedsearches.conf in $SPLUNK_HOME/etc/system/local/.
# For examples, see savedsearches.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#******************************************************************************
# The possible attribute/value pairs for savedsearches.conf are:
#******************************************************************************
[<stanza name>]
* Name of the saved search stanza.
* Follow this stanza name with any number of the following attribute/value pairs.
disabled = <0 | 1>
* Tag for entire search.
* Search will not be visible if set to 1.
* Defaults to 0.
search = <string>
* Actual search terms of the saved search.
* For example index::sampledata http NOT 500.
* Your search can include macro searches for substitution.
* To create a macro search, read the documentation at:
http://www.splunk.com/doc/latest/admin/MacroSearch
userid = <integer>
* UserId of the user who created this saved search.
Splunk needs this information to log who ran the search, and create editing capabilities in Splunk Web.
* Possible values: Any Splunk user ID.
* User IDs are found in $SPLUNK_HOME/etc/passwd.
Look for the first number on each line, right before the username.
For example 2:penelope....
role = <string>
* Role (from authorize.conf) that this saved search is shared with.
* Anyone that is a member of that role will see the saved search in their dashboard.
* To share with everyone, set to Everybody.
#******************************************************************************
# Scheduling options
#******************************************************************************
enableSched = <0 | 1>
* Set this to 1 to enable schedule for search
* Defaults to 0.
counttype = <string>
* Set the type of count for alerting.
* Possible values: number of events, number of hosts, number of sources, number of sourcetypes.
relation = <string>
* How to compare against counttype.
* Possible values: greater than, less than, equal to, drops by, rises by.
quantity = <integer>
* Number to compare against the given counttype.
schedule = <string>
* Cron style schedule (i.e. */12 * * * *).
sendresults = <integer>
* Whether or not to send the results along with the email/shell script.
* Possible values: 1/0 (1 to send, 0 to disable).
execDelay = <integer>
* Amount of time (in seconds) from most recent event to the execution of the scheduled search.
* Defaults to 0.
maxresults = <integer>
* The maximum number of results the entire search pipeline can generate.
* NOTE: This is different from the deprecated search command "maxresults" and the maxresults setting in prefs.conf.
* General guidelines: use 10000 for 32 bit machine and 50000 for 64bit machines
* Defaults to 10000.
action_script = <string>
* Your search can trigger a shell script.
* Specify the name of the shell script to run.
* Place the script in $SPLUNK_HOME/bin/scripts.
* Command line arguments passed to the script are:
* $0 = script name.
* $1 = number of events returned.
* $2 = search terms.
* $3 = fully qualified query string.
* $4 = name of saved splunk.
* $5 = trigger reason (i.e. "The number of events was greater than 1").
* $6 = link to saved search.
* $7 = a list of tags belonging to this saved search.
* $8 = file where the results for this search are stored (contains raw results).
Note: If there are no saved tags, $7 becomes the name of the file containing the search results ($8).
action_rss = <integer>
* Toggle whether or not to create an RSS link.
* Possible values: 1/0 (1 to create, 0 to disable).
action_email = <string>
* Comma delimited list of email addresses to send alerts to.
nextrun = <integer>
* NOTE: This attribute is automatically set. DO NOT SET.
#******************************************************************************
# Summary index settings
#******************************************************************************
action.summary_index = <1 | 0>
* Toggle whether or not the summary index is enabled.
* 1 to enable, 0 to disable.
* Defaults to 0.
action.summary_index._name = <string>
* The summary index where the results of the scheduled search are saved.
* Defaults to summary.
action.summary_index.<$KEY> = <string>
* Optional $KEY = <string> to add to each event when saving it in the summary index.
#******************************************************************************
# Search execution http settings
#******************************************************************************
http_read_timeout = <int>
http_write_timeout = <int>
http_conn_timeout = <int>
* read/write/connect timeout (seconds) for the HTTP connection (to splunkd)
used to execute the scheduled search and any of its actions/alerts
#******************************************************************************
# Viewstate settings
#******************************************************************************
viewstate.resultView = reportView
* The UI state for a saved search.
* Can be either normalView or reportView.
* normalView returns the SplunkWeb search interface.
* reportView returns the report interface.
viewstate.chart.plotMode = column
* Set the plot mode for a chart returned by a saved search.
* Only valid when viewstate.resultView == reportView
* Possible values: area, axis, bubble, column, donut, heatmap, legend, line, pie, scatte,
stackedarea, stackedcolumn.
viewstate.prefs.selectedKeys = source host sourcetype
* Space-delimited list of field to use.
* Always auto-generated, but can be edited after the fact to include new fields.
#******************************************************************************
# The following are flash chart formatting options that are auto-generated.
# DO NOT EDIT.
viewstate.chart.formatting.dateTimeFormat = %m/%d/%Y %H:%M:%S
viewstate.chart.formatting.height = 300
viewstate.chart.formatting.padding.bottom = 10
viewstate.chart.formatting.padding.left = 0
viewstate.chart.formatting.padding.right = 0
viewstate.chart.formatting.padding.top = 20
viewstate.chart.formatting.textColor = 3355443
viewstate.chart.formatting.width = 852
savedsearches.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This file contains example saved searches and alerts. # # To use one or more of these configurations, copy the configuration block into # savedsearches.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. # The following searches are example searches. To create your own search, modify # the values by following the spec outlined in savedsearches.conf.spec. [Invalid 3months notshared db test2] action_rss = 0 search = * Invalid startmonthsago=3 schedule = */60 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [bus error 15min email notshared db test5 ] action_email = my_email@splunk.com action_rss = 0 counttype = number of hosts quantity = 5 search = * error Bus startminutesago=15 relation = greater than schedule = */12 * * * * sendresults = 1 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [kCGError 3months shared db test1] action_rss = 0 search = * kCGErrorIllegalArgument startmonthsago=3 role = Everybody schedule = */60 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [normal shutdown 1month shareda nodb scheduled gt3 midnight test3] action_rss = 0 counttype = number of events enableSched = 1 quantity = 3 search = * Scheduler shutting down normally startmonthsago=1 relation = greater than role = Admin schedule = 0 0 * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype [syslog not responding 15min shared rss] action_rss = 1 counttype = always search = * sourcetype="syslog" not responding startminutesago=15 role = Everybody schedule = */12 * * * * sendresults = 0 userid = 1 viewstate.prefs.selectedKeys = source host sourcetype ### Scripted searches # The following search calls a script and sends an RSS feed. It runs every minute, Monday through # Friday and alerts (eg sends RSS and triggers the script splunk.sh) every time the count of events # returned by the search rises by 100. [splunk_script] search = eventtype = attack OR eventtype = deny action_script = splunk.sh action_rss = 1 counttype = number of events relation = rises by quantity = 100 schedule = */60 * * * 1-5 sendresults = 1 isGlobal = 0 viewstate.prefs.selectedKeys = source host sourcetype viewstate.resultView = normalView
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.