Save a search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Save a search
This topic shows how to save a search, in this case, a search for slow transactions. You can run a saved search by name from the menu in the Splunk GUI or schedule it to run on a schedule.
For more detail on the transactions used here, see Build a transaction using multiple fields topic in this manual.
Search for slow transactions
First, set up a search that takes transactions built from disparate events in three types of logs -- web logs, J2EE logs, and API logs -- and use the duration field to find slow transactions.
1. Start by specifying the events you want to use to build transactions:
index="test" sourcetype="weblog" OR sourcetype="J2EElog" OR sourcetype="APIlog"Note: This is pretty long-winded. Later you'll see how to group these events using event types.
2. Now direct these events to the transaction command using the pipe (|) operator. The transaction command lets you pull together all the events that have matching values in one or more fields (here, the accountNumber and subscriberID fields.)
index="test" sourcetype="weblog" OR sourcetype="j2eelog" OR sourcetype="apilog" | transaction accountNumber subscriberID maxspan=1m maxpause=30sThis builds transactions out of all the events that match the criteria.
3. Select last 60 minutes from the time picker. This runs the search and displays the results.
4. The transaction command calculates a duration field, which you can use to find slow transactions. To find all the transactions with a duration of more than 4 seconds:
index="test" sourcetype="weblog" OR sourcetype="J2EElog" OR sourcetype="APIlog" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | where duration > 4 
Save a search
If you have a search you run over and over again, you can create a saved search. You can run a saved search from the Searches menu, and you can also schedule saved searches to run on a regular basis.
1. Make sure you have run the search you want to save, or highlight and copy its syntax:
index="test" sourcetype="weblog" OR sourcetype="J2EElog" OR sourcetype="APIlog" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | where duration > 4 2. From the Search app, click Manager in the upper right of the screen.
3. Click Searches and Reports.
4. Click New.
5. Select search as the Destination app.
6. Enter SLA Infractions Last Hour for the Name. You can use spaces in the name of saved searches.
7. Enter the search you want to run.
index="test" sourcetype="weblog" OR sourcetype="J2EElog" OR sourcetype="APIlog" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | where duration > 4 8. Enter -65m for Start time and -5m for Finish time. This sets the search to look for events that finished at least five minutes before the search is run. Because there can be a lag between the time when events occur and when they are finalized in the index, a time offset ensures that the report captures all the results in the specified time interval.
9. Click Save to save the search.
Note: You can also use the Schedule this search section to run the search on a schedule and create an alert. This is shown in the next section.
Run a saved search
By default, saved searches show up in the Searches & Reports menu of the app where they were created. To run this search after it has been saved:
1. Click Back to Search to return to the app.
2. Select the name of your search, SLA Infractions Last Hour, from the Searches & Reports menu.
3. The search runs and displays the results. Notice that the name of the search displays in the upper left and the time range is set using the parameters you saved in the search.
The next topic shows how to schedule a saved search to run automatically.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.