Splunk® Enterprise

User Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Save a search

This topic assumes you're comfortable running searches with fields. If you're not, go back to the previous topic and review how to Use fields to search.

This topic walks you through the basics of saving a search and how you can use that search again later.

Back at the Flower & Gift shop, you just ran a search to see if there were any errors yesterday. This is a search you will run every morning. Rather than type it in manually every day, you decide to save this search.

Example 1. Run the search for all errors seen yesterday:

error OR failed OR severe OR (sourcetype=access_* (status=404 OR status=500 OR status=503))

1. Click Save under the search bar.


Save search dropdown 4.3.png

This enables you to save a search, save a search's results, or save and share the results.

Saving the results of a search is different from saving the search itself; you do this when you want to be able to review the outcome of a particular run of a search at a later time. For more information, read about "Saving searches and sharing search results" in the User Manual.

2. Select Save search... from the list.

The Save search dialog box opens.


Save search dialogue4.3.png


At a minimum, a saved search includes the search string and the time range associated with the search, as well as the name of the search.


3. Name the search, Errors (Yesterday)

4. Leave the Search string, Time range, and Share settings as they are. (Notice that the time range should already by set to "yesterday".)

5. Click Finish. Splunk confirms that your search was saved:


Search saved 4.3.png


6. Find your saved search in the Searches & Reports list:


Errors search list 4.3.png


Because the saved search's name contained the word "Error," Splunk lists it in the saved search submenu for Errors.

The green dot next to your saved search means that it's local to your Splunk account; right now you are the only one that is authorized to access this saved search. Since this is a search that others on your team may want to run, you can set it as a global saved search that they can access. To do this, read more about saving searches and sharing search results.


Manage searches and reports

If you want to modify a search that you saved, use the Searches & Reports menu to select Manage Searches & Reports. This takes you the Splunk Manager page for all the searches and reports you're allowed to access (if you're allowed to access them). From here you can select your search from the list. This take you to the searches edit window where you can then change or update the search string, description, time range, and schedule options.


Schedule saved searches and alerts

If you have an Enterprise license, Splunk also lets you configure the searches you saved to run on a schedule and to set alerts based off the scheduled searches. When you download Splunk for the first time, you're given an Enterprise trial license that expires after 60 days. If you're using the Free license, you do not have the capability to schedule a saved search. Read more about scheduling saved searches and setting alerts in the "Monitoring recurring situations" chapter of the User manual.


Now, you can save your searches after you run them. When you're ready, proceed to the next topic to learn more ways to search.

PREVIOUS
Use fields to search
  NEXT
Use Splunk's search language

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters