Save a search
This topic assumes you're comfortable running searches with fields. If you're not, go back to the previous topic and review how to Use fields to search.
This topic walks you through the basics of saving a search and how you can use that search again later.
Back at the Flower & Gift shop, you just ran a search to see if there were any errors yesterday. This is a search you will run every morning. Rather than type it in manually every day, you decide to save this search.
Example 1. Run the search for all errors seen yesterday:
error OR failed OR severe OR (sourcetype=access_* (status=404 OR status=500 OR status=503))
1. Click Save under the search bar.
This enables you to save a search, save a search's results, or save and share the results.
|Saving the results of a search is different from saving the search itself; you do this when you want to be able to review the outcome of a particular run of a search at a later time. For more information, read about "Saving searches and sharing search results" in the User Manual.|
2. Select Save search... from the list.
The Save search dialog box opens.
At a minimum, a saved search includes the search string and the time range associated with the search, as well as the name of the search.
3. Name the search, Errors (Yesterday)
4. Leave the Search string, Time range, and Share settings as they are. (Notice that the time range should already by set to "yesterday".)
5. Click Finish. Splunk confirms that your search was saved:
6. Find your saved search in the Searches & Reports list:
Because the saved search's name contained the word "Error," Splunk lists it in the saved search submenu for Errors.
The green dot next to your saved search means that it's local to your Splunk account; right now you are the only one that is authorized to access this saved search. Since this is a search that others on your team may want to run, you can set it as a global saved search that they can access. To do this, read more about saving searches and sharing search results.
| Manage searches and reports
If you want to modify a search that you saved, use the Searches & Reports menu to select Manage Searches & Reports. This takes you the Splunk Manager page for all the searches and reports you're allowed to access (if you're allowed to access them). From here you can select your search from the list. This take you to the searches edit window where you can then change or update the search string, description, time range, and schedule options.
If you have an Enterprise license, Splunk also lets you configure the searches you saved to run on a schedule and to set alerts based off the scheduled searches. When you download Splunk for the first time, you're given an Enterprise trial license that expires after 60 days. If you're using the Free license, you do not have the capability to schedule a saved search. Read more about scheduling saved searches and setting alerts in the "Monitoring recurring situations" chapter of the User manual.
Now, you can save your searches after you run them. When you're ready, proceed to the next topic to learn more ways to search.
Use fields to search
Use Splunk's search language
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7