Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

savedsearch

Description

Runs a saved search, or report, and returns the search results of a saved search. If the search contains replacement placeholder terms, such as $replace_me$, the search processor replaces the placeholders with the strings you specify. For example:

|savedsearch mysearch replace_me="value"

Syntax

| savedsearch <savedsearch_name> [<savedsearch-options>...]

Required arguments

savedsearch_name
Syntax: <string>
Description: Name of the saved search to run.

Optional arguments

savedsearch-options
Syntax: <substitution-control> | <replacement>
Description: Specify whether substitutions are allowed. If allowed, specify the key-value pair to use in the string substitution replacement.
substitution-control
Syntax: nosubstitution=<bool>
Description: If true, no string substitution replacements are made.
Default: false
replacement
Syntax: <field>=<string>
Description: A key-value pair to use in string substitution replacement.

Usage

The savedsearch command is a generating command and must start with a leading pipe character.

The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command.

Time ranges

  • If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search.
  • If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.

Examples

Example 1

Run the saved search "mysecurityquery".

| savedsearch mysecurityquery

Example2

Run the saved search "mysearch". Where the replacement placeholder term $replace_me$ appears in the saved search, use "value" instead.

|savedsearch mysearch replace_me="value"...

See also

search, loadjob

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the savedsearch command.

PREVIOUS
run
  NEXT
script

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Hello Landen99, thank you for your comment.

The savedsearch command always runs a new search. To use the results of a previously run search, use the loadjob command.

If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search. If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.

I have updated the Usage section of this topic to explain what happens.

Lstewart splunk, Splunker
August 3, 2016

Please specify on this page whether the results from the search's most recent run are used if the time is left at All Time, or if the search is re-run regardless of whether their are substitutions.

Landen99
July 26, 2016

Thanks for the suggestion Woodcock.
I have added it to the See also section.

Lstewart splunk, Splunker
July 22, 2016

You should add "Loadjob" to the "See also" section.

Woodcock
July 21, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters