Set up saved searches via Splunk Web
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Set up saved searches via Splunk Web
Turn any search into a saved search via Splunk Web. Just craft a search and use the built-in Save search screen to set values for the search. You can also create saved searches via savedsearches.conf.
Note: Many complex, long running searches may slow down your Splunk instance. Make sure you optimize your searches before saving them in a saved search. You can also use summary indexing to optimize long running searches.
Save your search
Refine the search until you consider it worthy. If you want to limit your search to a specific time period, add a modifier such as daysago:1 or hoursago:4. See the search reference.
1. Click on the drop-down arrow next to the search bar:
2. Select Save search...
3. Then, fill in the options presented on the save search screen.
4. Give your saved search a name.
5. Pick a role to share your search with, or leave the drop down as Don't share.
6. Optionally add the saved search to any existing dashboard.
7. Click the Save button.
Note: All admin level users see all saved searches, whether the user who created it explicitly shared it or not.
Edit saved searches at any time by clicking on the Admin link in the upper right hand corner. Select the Saved Searches link.
Schedule a saved search
Optionally schedule your Saved Search to run on a schedule by clicking the Schedules & Alerts link.
Note: Too many searches running too often can slow down the server.
1. Check the box Run this search on a schedule.
2. Choose either Basic or Cron scheduling:
- Basic lets you choose from predefined schedule options.
- Use Cron to specify cron-style scheduling.
- Caution: Splunk implements cron differently than standard POSIX cron. Use the
*/nas "divide by n" (instead of crontab's "every n"). - For example, enter */3* * * 1-5 to run your search every twenty minutes, Monday through Friday.
- Caution: Splunk implements cron differently than standard POSIX cron. Use the
Here are some other Splunk cron examples:
"*/12 * * * *" : "Every 5 minutes" "10,40 * * * *" : "Every 30 minutes, at 10 and 40 minutes after the hour" "0 0,12 * * *" : "Every 12 hours, at midnight and noon"
After you've scheduled your search, you can configure it to send alerts. To turn your search into an alert, see set up alerts via Splunk Web.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.