Save options
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Save options
You can save any of your searches, schedule your saved searches, and define alert conditions for your scheduled searches. For more information, refer to the User Manual topic about Save, schedule, and alert options.
Save a search
Search for the trade_app_logouts events in the sampledata:
index=sampledata eventtype=trade_app_logoutsTo save a search:
1. Click on the search bar menu.
2. Select Save search... from the menu.
The Save Search dialog box opens.
3. In the "Search options" tab, name your search. (In 3.3, this is Search.)
4. Click Save.
Note: When saving your search, you can choose to add it to one or more dashboards.
Splunk lets you delete or modify your saved searches and add them to the dashboard. For more information on how to manage saved searches, refer to the User Manual's Find and manage saved searches page.
Schedule the search
From the search bar menu:
1. Choose Save search...
2. Click the Schedule & Alerts tab. (In 3.3, this is Schedule and Alert.)
3. Under Schedule, check "Run this search on a schedule".
Note: You can define the schedule frequency with the Basic or Cron options.
Schedule an alert
After you schedule a search, you can define alert conditions based on thresholds in the number of events, sources, and hosts in your results. You can receive these alerts via RSS feed or email.
You can also trigger a shell script, such as a script to generate an SNMP trap or call an API to send the event to another system. If you need additional email options (like setting the From: address) see the Alerts page in the Admin manual.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.