savedsearch
savedsearch
Synopsis
Returns the search results of a saved search.
Syntax
savedsearch <savedsearch name> [<savedsearch-opt>]*
Required arguments
- savedsearch name
- Syntax: <string>
- Description: Name of the saved search to run.
- savedsearch-opt
- Syntax: <macro>|<replacementt>
- Description: The savedsearch options lets you specify either no substitution or the key/value pair to use in the macro replacement.
Savedsearch options
- macro
- Syntax: nosubstitution=<bool>
- Description: If true, no macro replacements are made. Defaults to false.
- replacement
- Syntax: <field>=<string>
- Description: A key/value pair to use in macro replacement.
Description
Runs a saved search, possibly cached by disk. Also, performs macro replacement.
Examples
Example 1: Run the "mysecurityquery" saved search.
| savedsearch mysecurityquery
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the savedsearch command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.
Hi there. You could add an example of macro replacement. It's not clear and it's very useful. BTW, one example would be: suppose you have a saved search like this: [ index=in field1=$filter$ | stats count ] , you can do this: [ | savedsearch "My Search" filter=value | ] and get the filtered search.