Set up saved searches via savedsearches.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Set up saved searches via savedsearches.conf
Configure saved searches with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Make any changes in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
To turn your saved search into an alert, see set up alerts via savedsearches.conf.
Configuration
Edit $SPLUNK_HOME/etc/system/local/savedsearches.conf to create a saved search. A savedsearches.conf stanza looks like:
[<Splunk name>] attribute1 = val1 attribute2 = val2
There are several attribute/value pairs available for savedsearches.conf. The following pairs may be used to create a saved search.
search = <string>
- Actual query terms of the saved search.
- For example index::sampledata http NOT 500.
- Your query can include macro searches for substition.
- To create a macro search, read the documentation on macro search.
role = <string>
- Role (from authorize.conf that this saved search is shared with.
- Anyone that is a member of that role will see the saved search in their dashboard.
userid = <integer>
- UserId of the user who created this saved search.
- Splunk needs this information to log who ran the search, and create editing capabilities in Splunk Web.
- Possible values: Any Splunk user ID.
- User IDs are found in
$SPLUNK_HOME/etc/passwd.- Look for the first number on each line, right before the username.
- For example
2:penelope....
Example
This example search is called j_client_ip and runs the search host="j_apache" | top limit=100 clientip. It's shared with the Admin role -- role is set to 'Admin.'
[j_client_ip] search = host="j_apache" | top limit=100 clientip role = Admin userid = 1
Note: In versions 3.2 and above, saved searches set to run on a schedule don't show a nextrun time in savedsearches.conf.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.