Splunk® Enterprise

Admin Manual

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

savedsearches.conf

The following are the spec and example files for savedsearches.conf.

savedsearches.conf.spec

#   Version 9.3.1
#
# This file contains possible setting/value pairs for saved search entries in
# the savedsearches.conf file.  You can configure saved searches by creating
# your own savedsearches.conf file.
#
# There is a default savedsearches.conf file in
# $SPLUNK_HOME/etc/system/default. To set custom configurations, place a
# savedsearches.conf file in $SPLUNK_HOME/etc/system/local/. For examples, see
# the savedsearches.conf.example file. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top of
#    the file.
#  * Each conf file should have at most one default stanza. If there are
#    multiple default stanzas, settings are combined. In the case of multiple
#    definitions of the same settings, the last definition in the file wins.
#  * If a setting is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

The possible settings for the savedsearches.conf file are:


[<stanza name>]
* Create a unique stanza name for each saved search.
* Follow the stanza name with any number of the following settings.
* If you do not specify a setting, Splunk software uses the default.

disabled = <boolean>
* Disable your search by setting 'disabled=true'.
* You cannot run a disabled search.
* This setting is typically used to prevent a scheduled search from running
  on its schedule, without deleting the stanza for the search in the
  savedsearches.conf file.
* Default: false

search = <string>
* The actual search string for the saved search.
  * For example, 'search = index::sampledata http NOT 500'.
* Your search can include macro searches for substitution.
  * To learn more about creating a macro search, search the documentation for
    "macro search."
* Multi-line search strings currently have some limitations. For example, use
  with the search command '|savedsearch' does not currently work with multi-line
  search strings.
* No default.

dispatchAs = [user|owner]
* When the saved search is dispatched using the "saved/searches/{name}/dispatch"
  endpoint, this setting controls what user that search is dispatched as.
* This setting is only meaningful for shared saved searches.
* When dispatched as "user", the search is run as if the requesting user owned
  the search.
* When dispatched as "owner", the search is run as if the owner of the search
  dispatched the search, no matter which user requested it.
* If the 'force_saved_search_dispatch_as_user' setting, in the limits.conf
  file, is set to "true", then the 'dispatchAs' setting is reset to "user" while
  the saved search is dispatching.
* Default: owner


Scheduling options


enableSched = [0 | 1]
* Specifies whether or not to run the search on a schedule.
* The only acceptable values for this setting are 0 and 1.
* Set this to 1 (true) to run your search on a schedule.
* Default: 0

cron_schedule = <cron string>
* The cron schedule that is used to run this search.
* For example: */5 * * * *  causes the search to run every 5 minutes.
* You can use standard cron notation to define your scheduled search interval.
  In particular, cron can accept this type of notation: 00,20,40 * * * *, which
  runs the search every hour at hh:00, hh:20, hh:40.
  A cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43.
* To reduce system load, schedule your searches so that they are staggered over
  time. Running all of the saved searches every 20 minutes (*/20) means all of
  the searches would launch at hh:00 (20, 40) and might slow your system every
  20 minutes.
* The Splunk cron implementation does not currently support names of months or
  days.
* No default.

schedule = <cron-style string>
* This setting is DEPRECATED as of version 4.0.
* For more information, see the pre-4.0 spec file.
* Use 'cron_schedule' to define your scheduled search interval.

allow_skew = <percentage>|<duration-specifier>
* Lets the search scheduler randomly distribute scheduled searches more evenly
  over the scheduled time periods.
* When set to non-zero for searches with the following cron_schedule values,
  the search scheduler randomly "skews" the second, minute, and hour that the
  search actually runs on:
    * * * * *     Every minute.
    */M * * * *   Every M minutes (M > 0).
    0 * * * *     Every hour.
    0 */H * * *   Every H hours (H > 0).
    0 0 * * *     Every day (at midnight).
* When set to non-zero for a search that has any other 'cron_schedule' setting,
  the search scheduler can only randomly skew the second that the search runs
  on.
* The amount of skew for a specific search remains constant between edits of
  the search.
* To specify a percentage: Use an integer value followed by the percent '%'
  symbol. This specifies the maximum amount of time to skew, as a percentage of
  the scheduled search period.
* To specify a duration: Use <integer><timescale> to specify a maximum duration.
  Supported units are:
    m, min, minute, mins, minutes
    h, hr, hour, hrs, hours
    d, day, days
  The <timescale> is required.
* Skew examples:
    100% (For an every-5-minute search = 5 minutes maximum)
    50%  (For an every-1-minute search = 30 seconds maximum)
    5m = 5 minutes maximum
    1h = 1 hour maximum
* A value of 0 does not allow a skew to occur.
* Default: 0

max_concurrent = <unsigned integer>
* The maximum number of concurrent instances of this search that the scheduler
  is allowed to run.
* Default: 1

realtime_schedule = <boolean>
* Controls the way the scheduler computes the next run time of a scheduled
  search.
* When set to 'true', the scheduler determines the next scheduled search run
  time based on the current time.
    * NOTE: When set to 'true', the scheduler might skip some execution periods
      to make sure that the scheduler is executing the searches that are running
      over the most recent time range.
* When set to 'false', the scheduler determines the next scheduled search run
  time based on the last run time for the search. This is called continuous
   scheduling.
    * NOTE: When set to 'false', the scheduler never skips scheduled execution
      periods. However, the execution of the saved search might fall behind
      depending on the scheduler's load.
    * Use continuous scheduling whenever you enable the 'summary index' option.
* The scheduler tries to run searches that have 'realtime_schedule' set to true
  before it runs searches that have continuous scheduling
  (realtime_schedule = false).
* Default: true

schedule_priority = [default | higher | highest]
* Raises the scheduling priority of a search:
  * When set to "default", this setting specifies that there is no increase to
    the scheduling priority.
  * When set to "higher", this setting specifies that the scheduling priority
    is higher than other searches of the same scheduling tier. While there are
    four tiers of priority for scheduled searches, only the following are
    affected by this setting:
      1. Real-Time-Scheduled (realtime_schedule=1).
      2. Continuous-Scheduled (realtime_schedule=0).
  * When set to "highest", this setting specifies that the scheduling priority
    is higher than other searches regardless of scheduling tier. However,
    real-time-scheduled searches with 'schedule_priority = highest' always have
    priority over continuous scheduled searches with 'schedule_priority =
    highest'.
  * The high-to-low order is:
      RTSS(H) > CSS(H) > RTSS(h) > RTSS(d) > CSS(h) > CSS(d)
    Where:
        RTSS = real-time-scheduled search
        CSS = continuous-scheduled search
        d = default
        h = higher
        H = highest
* The scheduler honors a non-default priority only when the search owner has
  the 'edit_search_schedule_priority' capability.
  * A non-default priority is mutually exclusive with a non-zero
    'schedule_window' (see below). If a user specifies both for a scheduled
    search, the scheduler honors the priority only.
  * However, if a user specifies both settings for a search, but the search
    owner does not have the 'edit_search_scheduler_priority' capability, then
    the scheduler ignores the priority setting and honors the 'schedule_window'.
* CAUTION: Having too many searches with a non-default priority impedes the
  ability of the scheduler to minimize search starvation. Use this setting
  only for mission-critical searches.
* Default: default

schedule_window = <unsigned integer> | auto
* When 'schedule_window' is non-zero, it indicates to the scheduler that the
  search does not require a precise start time. This gives the scheduler
  greater flexibility when it prioritizes searches.
* When 'schedule_window' is set to an integer greater than 0, it specifies the
  "window" of time (in minutes) that a search may start within.
    * The 'schedule_window' must be shorter than the period of the search.
    * Schedule windows are not recommended for searches that run every minute.
* When set to 0, there is no schedule window. The scheduler starts the search
  as close to its scheduled time as possible.
* When set to "auto," the scheduler calculates the 'schedule_window' value
  automatically.
    * For more information about this calculation, see the search scheduler
      documentation.
* A non-zero 'schedule_window' is mutually exclusive with a non-default
  'schedule_priority'. See 'schedule_priority' for details.
* Default: 0 for searches that are owned by users with the
           'edit_search_schedule_window' capability.
           For these searches, this value can be changed.
* Default: auto for searches that are owned by users that do not have the
           'edit_search_schedule_window' capability.
           For these searches, this setting cannot be changed.

schedule_as = [auto|classic|prjob]
* Specifies whether a scheduled search should use parallel reduce search 
  processing each time it runs. 
* When set to 'auto', the Splunk software determines automatically whether 
  this scheduled search should use parallel reduce search processing, each time 
  it runs. This means it might not use parallel reduce processing some of the 
  time or all of the time. For details, please check 'autoAppliedPercentage' in
  'parallelreduce' stanza.
* When set to 'classic', the Splunk software is forced to NOT use parallel reduce 
  search processing for this scheduled search, each time it runs.
* When set to 'prjob', the Splunk software is forced to use parallel reduce 
  search processing for this scheduled search, each time it runs.
* Default: 'auto'

Workload management options


workload_pool = <name of workload pool>
* Specifies the name of the workload pool to be used by this search.
* There are multiple workload pools defined in the workload_pools.conf file.
  Each workload pool has different resource limits associated with it, for
  example, CPU, Memory, etc.
* The search process of this search is launched into the 'workload_pool'
  specified above.
* The 'workload_pool' used should be defined in the workload_pools.conf file.
* If workload management is enabled and a explicit 'workload_pool' is not
  specified, the 'default_pool' defined in the workload_pools.conf file is used.

Notification options


counttype = number of events | number of hosts | number of sources | custom | always
* Set the type of count for alerting.
* Used with the 'relation' and 'quantity' settings.
* NOTE: If you specify "always," do not set 'relation' or 'quantity'.
* Default: always

relation = greater than | less than | equal to | not equal to | drops by | rises by
* Specifies how to compare against 'counttype'.
* Default: empty string

quantity = <integer>
* Specifies a value for the 'counttype' and 'relation' settings, to determine
  the condition under which an alert is triggered by a saved search.
* Think of it as a sentence constructed like this: <counttype> <relation>
  <quantity>.
  * For example, "number of events [is] greater than 10" sends an alert when the
    count of events is larger than by 10.
  * For example, "number of events drops by 10%" sends an alert when the count
    of events drops by 10%.
* Default: empty string

alert_condition = <search string>
* Contains a conditional search that is evaluated against the results of the
  saved search. Alerts are triggered if the specified search yields a
  non-empty search result list.
* Default: empty string


#*******
# Generic action settings.
# For a comprehensive list of actions and their arguments, refer to the
# alert_actions.conf file.
#*******

action.<action_name> = <boolean>
* Indicates whether the action is enabled for a particular saved
  search.
* The 'action_name' can be: email | populate_lookup | script | summary_index
* For more about your defined alert actions see the alert_actions.conf file.
* Default: empty string

action.<action_name>.<parameter> = <value>
* Overrides an action's <parameter> as defined in the alert_actions.conf file,
  with a new <value> for this saved search only.
* Default: empty string


Settings for email action


action.email = <boolean>
* Specifies whether the email action is enabled for this search.
* Default: false

action.email.to = <email list>
* REQUIRED. This setting is not defined in the alert_actions.conf file.
* Set a comma-delimited list of recipient email addresses.
* Default: empty string

* NOTE: When configured in Splunk Web, the following email settings
  are written to this conf file only if their values differ
  from the settings in the alert_actions.conf file.

action.email.from = <email address>
* Set an email address to use as the sender's address.
* Default: splunk@<LOCALHOST>
    (or the 'from' setting in the alert_actions.conf file)

action.email.subject = <string>
* Set the subject of the email delivered to recipients.
* Default: SplunkAlert-<savedsearchname>
    (or the 'subject' setting in the alert_actions.conf file)

action.email.mailserver = <string>
* Set the address of the MTA server to be used to send the emails.
* Default: <LOCALHOST>
    (or the 'mailserver' setting in alert_actions.conf file)

action.email.maxresults = <integer>
* Set the maximum number of results to email.
* Any alert-level results threshold greater than this number is capped at this
  level.
* This value affects all methods of result inclusion by email alert: inline,
  CSV, and PDF.
* NOTE: This setting is affected globally by the 'maxresults' setting in the
  [email] stanza of the alert_actions.conf file.
* Default: 10000

action.email.include.results_link = [1|0]
* Specify whether to include a link to search results in the alert notification
  email.
* Default: 1 (true)
    (or the 'include.result.link' setting in the alert_actions.conf file)

action.email.include.search = [1|0]
* Specify whether to include the query whose results triggered the email.
* Default: 0 (false)
    (or the 'include.search' setting in the alert_actions.conf file)

action.email.include.trigger = [1|0]
* Specify whether to include the alert trigger condition.
* Default: 0 (false)
    (or the 'include.trigger' setting in the alert_actions.conf file)

action.email.include.trigger_time = [1|0]
* Specify whether to include the alert trigger time.
* Default: 0 (false) or whatever is set in the alert_actions.conf file

action.email.include.view_link = [1|0]
* Specify whether to include saved search title and a link for editing the
  saved search.
* Default: 1 (true)
    (or the 'include.view_link' setting in the alert_actions.conf file)

action.email.inline = [1|0]
* Specify whether to include search results or PNG exports in the body of
  the alert notification email.
* Default: 0 (false)
    (or the 'inline' setting in the alert_actions.conf file)

action.email.sendcsv = [1|0]
* Specify whether to send results as a CSV file.
* Default: 0
    (or the 'sendcsv' setting in the alert_actions.conf file)

action.email.allow_empty_attachment = <boolean>
* Specifies whether the Splunk software attaches a CSV or PDF file to an
  alert email even when the triggering alert search does not have results.
* Use this setting to override for specific alerts the default set for
  email alert actions in 'alert_actions.conf'.
* Default: set by the 'allow_empty_attachment' setting in
           'alert_actions.conf'

action.email.sendpdf = [1|0]
* Specify whether to send results as a PDF file.
* Default: 0 (false)
    (or the 'sendpdf' setting in the alert_actions.conf file)

action.email.sendpng = [1|0]
* Specify whether to send Dashboard Studio results as a PNG file.
* Default: 0 (false)
    (or the 'sendpng' setting in the alert_actions.conf file)

action.email.sendresults = [1|0]
* Specify whether to include search results in the alert notification email.
* Default: 0 (false)
    (or the 'sendresults' setting in the alert_actions.conf file)


Settings for script action


action.script = <boolean>
* Specifies whether the script action is enabled for this search.
* Default: false

action.script.filename = <script filename>
* The filename, with no path, of the shell script to run.
* The script should be located in: $SPLUNK_HOME/bin/scripts/
* For system shell scripts on UNIX, or .bat or .cmd file on Windows, there
  are no further requirements.
* For other types of scripts, the first line should begin with a #! marker,
  followed by a path to the interpreter that will run the script.
  * Example: #!C:\Python27\python.exe
* Default: empty string

Settings for lookup action


action.lookup = <boolean>
* Specifies whether the lookup action is enabled for this search.
* Default: false

action.lookup.filename = <lookup filename>
* Provide the name of the CSV lookup file to write search results to.
  Do not provide a file path.
* Lookup actions can only be applied to CSV lookups.

action.lookup.append = <boolean>
* Specifies whether to append results to the lookup file defined for the
  'action.lookup.filename' setting.
* Default: false

Settings for summary index action


action.summary_index = <boolean>
* Specifies whether the summary index action is enabled for this search.
* Default: false.

action.summary_index._name = <index>
* Specifies the name of the summary index where the results of the scheduled
  search are saved.
* Default: summary

action.summary_index._type = [event | metric]
* Specifies the data type of the summary index where the Splunk software saves
  the results of the scheduled search.
* Default: event

action.summary_index._metric_dims = <comma-delimited-field-list>
* Optional
* Identify one or more fields with numeric values that the Splunk software
  should convert into dimensions during the summary indexing process.
* The Splunk software converts all fields with numeric values that are not in
  this list into measures.
* If you provide a list of fields, separate them with commas.
* Default: empty string

action.summary_index.inline = <boolean>
* Specify whether to run the summary indexing action as part of the
  scheduled search.
* NOTE: This option is considered only if the summary index action is enabled
  and is always run (in other words, if 'counttype = always').
* Default: 1 (true)

action.summary_index.<field> = <string>
* Specifies a field/value pair to add to every event that gets summary indexed
  by this search.
* You can define multiple field/value pairs for a single summary index search.

action.summary_index.force_realtime_schedule = <boolean>
* By default 'realtime_schedule' is false for a report configured for
  summary indexing. Set this attribute to 'true' or '1' to override the
  default behavior.
* CAUTION: Setting this to 'true' can cause gaps in summary data as a
  realtime_schedule
  search is skipped if search concurrency limits are violated.
* Default: 0 (false)

Settings for lookup table population parameters


action.populate_lookup = <boolean>
* Specifies whether the lookup population action is enabled for this search.
* Default: false

action.populate_lookup.dest = <string>
* Can be one of the following two options:
  * A lookup name from transforms.conf. The lookup name cannot be associated
    with KV store.
  * A path to a lookup .csv file that the search results should be copied to,
    relative to $SPLUNK_HOME.
    * NOTE: This path must point to a .csv file in either of the following
            directories:
      * etc/system/lookups/
      * etc/apps/<app-name>/lookups
      * NOTE: the destination directories of the above files must already exist.
* Default: empty string

run_on_startup = <boolean>
* Specifies whether this search runs when the Splunk platform starts
  or any edit that changes search related arguments happen. This includes search
  and dispatch.* arguments.
* If set to "true", the search is run as soon as possible during startup or
  after edit. Otherwise the search is run at the next scheduled time.
* Set 'run_on_startup' to "true" for scheduled searches that populate
  lookup tables or generate artifacts used by dashboards.
* Default: false

run_n_times = <unsigned integer>
* Runs this search exactly the specified number of times. The search is not run
  again until the Splunk platform is restarted.
* Default: 0 (infinite)


dispatch search options


dispatch.ttl = <integer>[p]
* Indicates the time to live (ttl), in seconds, for the search job artifacts 
  produced by the scheduled search, if no actions are triggered.
* If the integer is followed by the letter 'p', the ttl is calculated as a
  multiple of the execution period for the scheduled search.
  * For example, if the search is scheduled to run hourly and ttl is set to 2p,
    the ttl of the artifacts is set to 2 hours.
* If an action is triggered for the scheduled search, the ttl changes to the 
  ttl for the action. If multiple actions are triggered, the action with the 
  largest ttl is applied to the artifacts. To set the ttl for an action, refer 
  to the alert_actions.conf.spec file.
* If the scheduled search is configured as an alert, the alert must have a 
  minimum ttl of 1p. At all times an alert must have an artifact accessible
  within its cron schedule. 
  * If the alert has "rises by" or "drops by" in its trigger condition, the 
    alert must have a minimum ttl of 2p to make this trigger condition 
    possible. The "rises by" and "drops by" trigger condition elements require 
    that at any given point in time the most recent two artifacts of the alert 
    are available.
* For more information on the ttl for a search, see the limits.conf.spec file
  [search] stanza ttl setting.
* Default: 2p

dispatch.buckets  = <integer>
* The maximum number of timeline buckets.
* Default: 0

dispatch.max_count = <integer>
* The maximum number of results before finalizing the search.
* Default: 500000

dispatch.max_time = <integer>
* The maximum amount of time, in seconds, before finalizing the search.
* Default: 0

dispatch.lookups = 1| 0
* Enables or disables lookups for this search.
* Specify 1 to enable, 0 to disable.
* Default: 1

dispatch.earliest_time = <time-str>
* Specifies the earliest time for this search. Can be a relative or absolute
  time.
* If this value is an absolute time, use the 'dispatch.time_format' setting
  to format the value.
* Default: empty string

dispatch.latest_time = <time-str>
* Specifies the latest time for this saved search. Can be a relative or
  absolute time.
* If this value is an absolute time, use the 'dispatch.time_format' setting
  to format the value.
* Default: empty string

dispatch.index_earliest = <time-str>
* Specifies the earliest index time for this search. Can be a relative or
  absolute time.
* If this value is an absolute time, use the 'dispatch.time_format' setting
  to format the value.
* Default: empty string

dispatch.index_latest= <time-str>
* Specifies the latest index time for this saved search. Can be a relative or
  absolute time.
* If this value is an absolute time, use the 'dispatch.time_format' setting
  to format the value.
* Default: empty string

dispatch.time_format = <time format str>
* Defines the time format that is used to specify the earliest and latest
  time.
* Default: %FT%T.%Q%:z

dispatch.spawn_process = 1 | 0
* Specifies whether a new search process is started when this saved search
  is run.
* Default: 1 (true)

dispatch.auto_cancel = <integer>
* Specifies the amount of inactive time, in seconds, after which the job
  is automatically canceled.
* 0 means to never auto-cancel the job.
* Default: 0

dispatch.auto_pause = <integer>
* Specifies the amount of inactive time, in seconds, after which the
  search job is automatically paused.
* 0 means to never auto-pause the job.
* To restart a paused search job, specify 'unpause' as an action to POST
  search/jobs/{search_id}/control.
* auto_pause only goes into effect once. Unpausing after auto_pause does not
  put auto_pause into effect again.
* Default: 0

dispatch.reduce_freq = <integer>
* Specifies the frequency, in number of intermediary results chunks, that
  the MapReduce reduce phase should run on the accumulated map values.
* Default: 10

dispatch.allow_partial_results = <boolean>
* Specifies whether the search job can proceed to provide partial results if a search
  peer fails. When set to false, the search job fails if a search peer providing
  results for the search job fails.
* Default: true

dispatch.rt_backfill = <boolean>
* Specifies whether to do real-time window backfilling for scheduled real-time
  searches.
* Default: false

dispatch.indexedRealtime = <boolean>
* Specifies whether to use 'indexed-realtime' mode when doing real-time
  searches.
* Overrides the setting in the limits.conf file for the
  'indexed_realtime_use_by_default' setting in the [realtime] stanza.
* This setting applies to each job.
* See the [realtime] stanza in the limits.conf.spec file for more information.
* Default: The value for 'indexed_realtime_use_by_default' in the limits.conf
  file.

dispatch.indexedRealtimeOffset = <integer>
* Controls the number of seconds to wait for disk flushes to finish.
* Overrides the setting in the limits.conf file for the
  'indexed_realtime_disk_sync_delay' setting in the [realtime] stanza.
* This setting applies to each job.
* See the [realtime] stanza in the limits.conf.spec file for more information.
* Default: The value for 'indexed_realtime_disk_sync_delay' in the limits.conf
  file.

dispatch.indexedRealtimeMinSpan = <integer>
* Minimum seconds to wait between component index searches.
* Overrides the setting in the limits.conf file for the
  'indexed_realtime_default_span' setting in the [realtime] stanza.
* This setting applies to each job.
* See the [realtime] stanza in the limits.conf.spec file for more information.
* Default: The value for 'indexed_realtime_default_span' in the limits.conf
  file.

dispatch.rt_maximum_span = <integer>
* The max seconds allowed to search data which falls behind realtime.
* Use this setting to set a limit, after which events are not longer considered
  for the result set. The search catches back up to the specified delay from
  realtime and uses the default span.
* Overrides the setting in the limits.conf file for the
  'indexed_realtime_maximum_span' setting in the [realtime] stanza.
* This setting applies to each job.
* See the [realtime] stanza in the limits.conf.spec file for more information.
* Default: the value for 'indexed_realtime_maximum_span' in the limits.conf
  file.

dispatch.sample_ratio = <integer>
* The integer value used to calculate the sample ratio. The formula is
  1 / <integer>.
* The sample ratio specifies the likelihood of any event being included in the
  sample.
* For example, if sample_ratio = 500, each event has a 1/500 chance of being
  included in the sample result set.
* Default: 1

dispatch.rate_limit_retry = <boolean>
* Specifies whether the search job will be re-run in case of failure caused by 
  search requests throttling on remote peers.
* Currently this setting only applies when used in SHC.
* Overrides value of 'allow_partial_results'.
* Does not apply to real time searches.
* Default: false

restart_on_searchpeer_add = 1 | 0
* Specifies whether to restart a real-time search managed by the scheduler when
  a search peer becomes available for this saved search.
* NOTE: The peer can be a newly added peer or a peer that has been down and has
        become available.
* Default: 1 (true)

durable search options

durable.track_time_type = [ _time | _indextime | none ]
* Indicates that a scheduled search is durable and specifies how the search 
  tracks events. 
  * A durable search is a search that tries to ensure the delivery of all 
    results, even when the search process is slowed or stopped by runtime 
    issues like rolling restarts, network bottlenecks, and even downed servers.
  * When durable searches encounter search errors that they cannot recover 
    from, they do not return any results. 
  * When a durable scheduled search job fails in this manner, the Splunk 
    software reschedules a new run of the durable search over the same period
    of time to backfill the missing data. See the 'durable.backfill_type' and 
    'durable.max_backfill_intervals' settings for more information.
  * This setting cannot be applied to real-time and ad hoc searches. 
  * For searches of metric data, only the '_time' setting is available.
* If set to '_time', the durable search tracks each event by its original 
  timestamp. 
* If set to '_indextime', the durable search tracks each event by the the time 
  that it is indexed.
* If this setting is set to 'none' or not set, the search is not durable.
* Default: Not set

durable.lag_time = <unsigned integer>
* Specifies the search time delay, in seconds, that a durable search uses to catch 
  events that are ingested or indexed late. 
* This setting takes effect only for searches that have a setting for 
  'durable.track_time_type'.
* In most cases, '60' (1 minute) is a good 'lag_time' for durable searches that 
  track '_indextime'. 
* If your durable search tracks '_time', check to see how long the events for 
  the search are delayed at indexing before setting a 'lag_time' for it.
* Default: 0

durable.backfill_type = [ auto | time_interval | time_whole ]
* Specifies how the Splunk software backfills the lost search results of failed 
  scheduled search jobs.
* When set to 'time_whole', the Splunk software schedules a single backfill 
  search job with a time range that spans the combined time ranges of all 
  failed scheduled search jobs. The 'time_whole' setting can be applied only to 
  searches that are streaming, where the results are raw events without 
  additional aggregation.
* When set to 'time_interval', the Splunk software schedules multiple backfill 
  search jobs, one for each failed scheduled search job. The backfill jobs have 
  time ranges that match those of the failed jobs. The 'time_interval' setting 
  can be applied to both streaming and non-streaming searches,
* When set to 'auto', the Splunk software decides the backfill type by checking 
  whether the search is streaming or not. If the search is streaming, the 
  Splunk software uses the 'time_whole' backfill type. Otherwise, it uses the 
  'time_interval' backfill type.
* This setting takes effect only for searches that have a setting for 
  'durable.track_time_type'.
* Default: auto

durable.max_backfill_intervals = <unsigned integer>
* Specifies the maximum number of cron intervals (previous scheduled search 
  jobs) that the Splunk software can attempt to backfill for this search, when 
  those jobs have incomplete events.
* This setting takes effect only for searches that have a setting for 
  'durable.track_time_type'. 
* For example, if 'durable.max_backfill_intervals' is set to '100', the maximum 
  backfill time range for a search is 100 multiplied by the cron interval for 
  the scheduled search. 
* Default: 0 (unlimited) 

auto summarization options

auto_summarize  = <boolean>
* Specifies if the scheduler should ensure that the data for this search is
  automatically summarized.
* Default: false

auto_summarize.command = <string>
* A search template to use to construct the auto summarization for this search.
* DO NOT change this setting unless you know what you're doing.

auto_summarize.timespan = <time-specifier> (, <time-specifier>)*
* Comma-delimited list of time ranges that each summarized chunk should span.
  This comprises the list of available granularity levels for which summaries
  would be available. For example, a timechart over the last month whose
  granularity is at the day level should set this to "1d". If you need
  the same data summarized at the hour level because you need to have weekly
  charts then use: "1h,1d".
* This setting does not support "1w" timespans.

auto_summarize.cron_schedule = <cron-string>
* Cron schedule to use to probe or generate the summaries for this search.

auto_summarize.dispatch.<arg-name> = <string>
* Any dispatch.* options that need to be overridden when running the summary
  search.

auto_summarize.suspend_period = <time-specifier>
* The amount of time to suspend summarization of this search if the
  summarization is deemed unhelpful.
* Default: 24h

auto_summarize.max_summary_size = <unsigned integer>
* The minimum summary size when to start testing its helpfulness.
* Default: 52428800 (5MB)

auto_summarize.max_summary_ratio = <positive decimal>
* The maximum ratio of summary_size/bucket_size when to stop summarization and
  deem it unhelpful for a bucket.
* NOTE: The test is only performed if the summary size is larger
  than the 'auto_summarize.max_summary_size' setting.
* Default: 0.1

auto_summarize.max_disabled_buckets = <unsigned integer>
* The maximum number of buckets with the suspended summarization before the
  summarization search is completely stopped and the summarization of the
  search is suspended for the value specified in the
  'auto_summarize.suspend_period' setting.
* Default: 2

auto_summarize.max_time = <unsigned integer>
* The maximum amount of time that the summary search is allowed to run.
* NOTE: This is an approximate time and the summarize search will be stopped at
  clean bucket boundaries.
* Default: 3600

auto_summarize.hash = <string>
* An auto generated setting.

auto_summarize.normalized_hash = <string>
* An auto generated setting.

auto_summarize.max_concurrent = <unsigned integer>
* The maximum number of concurrent instances of this auto summarizing search,
  that the scheduler is allowed to run.
* Defaults: 1

auto_summarize.workload_pool = <name of workload pool>
* Sets the name of the workload pool that is used by this auto summarization.
* There are multiple workload pools defined in workload_pools.conf.
  Each workload pool has different resource limits associated with it,
  for example, CPU, Memory, etc.
* The search process of this auto summarization are launched into the
  workload_pool specified above.
* The workload_pool used should be defined in workload_pools.conf.
* If workload management is enabled and an explicit workload_pool is not
  specified, the workload rules defined in workload_rules.conf try to put the
  search into a proper pool as specified in some rule. If there is no rule
  defined for this search, the default_pool defined in workload_pools.conf is
  used.

alert suppression/severity/expiration/tracking/viewing settings


alert.suppress = <boolean>
* Specifies whether alert suppression is enabled for this scheduled search.
* Default: false

alert.suppress.period = <time-specifier>
* Sets the suppression period. Use [number][time-unit] to specify a time.
* For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes.
* Honored if and only if 'alert.suppress = 1'.
* Default: empty string

alert.suppress.fields = <comma-delimited-field-list>
* List of fields to use when suppressing per-result alerts. This field *must*
  be specified if the digest mode is disabled and suppression is enabled.
* Default: empty string.

alert.suppress.group_name = <string>
* Optional.
* Use this setting to define an alert suppression group for a set of alerts
  that are running over the same or very similar datasets. Do this to avoid
  getting multiple triggered alert notifications for the same data.
* All alerts with the same 'alert.suppress.group_name' value are in the same
  alert suppression group, as long as they are all owned by the same user.
  * Alerts belonging to different users cannot be included in the same
    suppression group, even if they all have the same 'group_name'.
* When an alert within an alert suppression group is triggered, all of the
  alerts in the group are suppressed for a period of time defined by the
  'alert.suppress.period' of the triggered alert. The triggered alert performs
  its alert actions, if it has any. The other alerts in the group do not
  perform their alert actions.
  * For example, say you have an alert suppression group with five alerts. Each
    of these alerts has a different 'alert.suppress.period' and a different
    alert action. If one alert from the group with an 'alert.suppress.period'
    of 5m and an email alert action is triggered, all of the alerts in the
    group are suppressed for 5m. However, only one alert action happens: the
    email for the triggering alert.
* Default: empty string.

alert.severity = <integer>
* Sets the alert severity level.
* Valid values are: 1-debug, 2-info, 3-warn, 4-error, 5-severe, 6-fatal
* Default: 3

alert.expires = <time-specifier>
* Sets the period of time to show the alert on the Triggered Alerts page.
  * Use [number][time-unit] to specify a time.
  * For example: 60s = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour etc
* This setting is only honored when 'alert.track = true' (when the "Add to
  Triggered Alerts" action is selected for the alert in Splunk Web).
* This property is valid until splunkd restarts. Restart clears the listing of
  triggered alerts.
* Default: 24h

alert.digest_mode = <boolean>
* Whether or not the Splunk platform applies the alert actions to the entire 
  result set or to each individual result.
* A value of "true" means that the Splunk platform applies the alert actions
  to the entire result set.
* A value of "false" means that the Splunk platform applies the alert actions
  to each individual result.
* Default: true

alert.track = <boolean> | auto
* Specifies whether to track the actions triggered by this scheduled search.
  * auto - determine whether to track or not based on the tracking setting of
    each action, do not track scheduled searches that always trigger actions.
  * true - force alert tracking.
  * false - disable alert tracking for this search.
* Default: auto

alert.display_view = <string>
* Name of the UI view where the emailed link for each result alerts should
  point to.
* If not specified, the value of the 'request.ui_dispatch_app' setting is used.
  If the 'request.ui_dispatch_app' setting is missing then "search" is used.
* Default: empty string

alert.managedBy = <string>
* Specifies the feature or component that created the alert.
* Default: empty string


UI-specific settings


displayview =<string>
* Defines the default UI view name (not label) in which to load the results.
* Accessibility is subject to the user having sufficient permissions.
* Default: empty string

vsid = <string>
* Defines the view state ID associated with the UI view listed in the
  'displayview' setting.
* Must match up to a stanza in the viewstates.conf file.
* Default: empty string

is_visible = <boolean>
* Specifies whether this saved search should be listed in the visible saved
  search list within apps.
* Saved searches are still visible when accessing the "Searches, reports,
  and alerts" page in Splunk Web.
* Default: true

description = <string>
* Human-readable description of this saved search.
* Default: empty string

request.ui_dispatch_app  = <string>
* Specifies a field used by Splunk UI to denote the app that this search
  should be dispatched in.
* Default: empty string

request.ui_dispatch_view = <string>
* Specifies a field used by Splunk UI to denote the view this search should be
  displayed in.
* Default: empty string

Display Formatting Options


# General options
display.general.enablePreview = [0 | 1]
display.general.type = [events|statistics|visualizations]
display.general.timeRangePicker.show = [0 | 1]
display.general.migratedFromViewState = [0 | 1]
display.general.locale = <string>

# Event options
display.events.fields = [<string>(, <string>)*]
display.events.type = [raw|list|table]
display.events.rowNumbers = [0 | 1]
display.events.maxLines = <integer>
display.events.raw.drilldown = [inner|outer|full|none]
display.events.list.drilldown = [inner|outer|full|none]
display.events.list.wrap = [0 | 1]
display.events.table.drilldown = [0 | 1]
display.events.table.wrap = [0 | 1]

# Statistics options
display.statistics.rowNumbers = [0 | 1]
display.statistics.wrap = [0 | 1]
display.statistics.overlay = [none|heatmap|highlow]
display.statistics.drilldown = [row|cell|none]
display.statistics.totalsRow = [0 | 1]
display.statistics.percentagesRow = [0 | 1]
display.statistics.show = [0 | 1]

# Visualization options
display.visualizations.trellis.enabled = [0 | 1]
display.visualizations.trellis.scales.shared = [0 | 1]
display.visualizations.trellis.size = [small|medium|large]
display.visualizations.trellis.splitBy = <string>
display.visualizations.show = [0 | 1]
display.visualizations.type = [charting|singlevalue|mapping|custom]
display.visualizations.chartHeight = <integer>
display.visualizations.charting.chart = [line|area|column|bar|pie|scatter|bubble|radialGauge|fillerGauge|markerGauge]
display.visualizations.charting.chart.stackMode = [default|stacked|stacked100]
display.visualizations.charting.chart.nullValueMode = [gaps|zero|connect]
display.visualizations.charting.chart.overlayFields = <string>
display.visualizations.charting.drilldown = [all|none]
display.visualizations.charting.chart.style = [minimal|shiny]
display.visualizations.charting.layout.splitSeries = [0 | 1]
display.visualizations.charting.layout.splitSeries.allowIndependentYRanges = [0 | 1]
display.visualizations.charting.legend.mode = [standard|seriesCompare]
display.visualizations.charting.legend.placement = [right|bottom|top|left|none]
display.visualizations.charting.legend.labelStyle.overflowMode = [ellipsisEnd|ellipsisMiddle|ellipsisStart]
display.visualizations.charting.axisTitleX.text = <string>
display.visualizations.charting.axisTitleY.text = <string>
display.visualizations.charting.axisTitleY2.text = <string>
display.visualizations.charting.axisTitleX.visibility = [visible|collapsed]
display.visualizations.charting.axisTitleY.visibility = [visible|collapsed]
display.visualizations.charting.axisTitleY2.visibility = [visible|collapsed]
display.visualizations.charting.axisX.scale = linear|log
display.visualizations.charting.axisY.scale = linear|log
display.visualizations.charting.axisY2.scale = linear|log|inherit
display.visualizations.charting.axisX.abbreviation = none|auto
display.visualizations.charting.axisY.abbreviation = none|auto
display.visualizations.charting.axisY2.abbreviation = none|auto
display.visualizations.charting.axisLabelsX.majorLabelStyle.overflowMode = [ellipsisMiddle|ellipsisNone]
display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation = [-90|-45|0|45|90]
display.visualizations.charting.axisLabelsX.majorUnit = <decimal> | auto
display.visualizations.charting.axisLabelsY.majorUnit = <decimal> | auto
display.visualizations.charting.axisLabelsY2.majorUnit = <decimal> | auto
display.visualizations.charting.axisX.minimumNumber = <decimal> | auto
display.visualizations.charting.axisY.minimumNumber = <decimal> | auto
display.visualizations.charting.axisY2.minimumNumber = <decimal> | auto
display.visualizations.charting.axisX.maximumNumber = <decimal> | auto
display.visualizations.charting.axisY.maximumNumber = <decimal> | auto
display.visualizations.charting.axisY2.maximumNumber = <decimal> | auto
display.visualizations.charting.axisY2.enabled = [0 | 1]
display.visualizations.charting.chart.sliceCollapsingThreshold = <decimal>
display.visualizations.charting.chart.showDataLabels = [all|none|minmax]
display.visualizations.charting.gaugeColors = [<hex>(, <hex>)*]
display.visualizations.charting.chart.rangeValues = [<string>(, <string>)*]
display.visualizations.charting.chart.bubbleMaximumSize = <integer>
display.visualizations.charting.chart.bubbleMinimumSize = <integer>
display.visualizations.charting.chart.bubbleSizeBy = [area|diameter]
display.visualizations.charting.fieldColors = <string>
display.visualizations.charting.fieldDashStyles = <string>
display.visualizations.charting.lineWidth = <decimal>
display.visualizations.custom.drilldown = [all|none]
display.visualizations.custom.height = <integer>
display.visualizations.custom.type = <string>
display.visualizations.singlevalueHeight = <integer>
display.visualizations.singlevalue.beforeLabel = <string>
display.visualizations.singlevalue.afterLabel = <string>
display.visualizations.singlevalue.underLabel = <string>
display.visualizations.singlevalue.unit = <string>
display.visualizations.singlevalue.unitPosition = [before|after]
display.visualizations.singlevalue.drilldown = [all|none]
display.visualizations.singlevalue.colorMode = [block|none]
display.visualizations.singlevalue.rangeValues = [<string>(, <string>)*]
display.visualizations.singlevalue.rangeColors = [<string>(, <string>)*]
display.visualizations.singlevalue.trendInterval = <string>
display.visualizations.singlevalue.trendColorInterpretation = [standard|inverse]
display.visualizations.singlevalue.showTrendIndicator = [0 | 1]
display.visualizations.singlevalue.showSparkline = [0 | 1]
display.visualizations.singlevalue.trendDisplayMode = [percent|absolute]
display.visualizations.singlevalue.colorBy = [value|trend]
display.visualizations.singlevalue.useColors = [0 | 1]
display.visualizations.singlevalue.numberPrecision = [0|0.0|0.00|0.000|0.0000]
display.visualizations.singlevalue.useThousandSeparators = [0 | 1]
display.visualizations.mapHeight = <integer>
display.visualizations.mapping.type = [marker|choropleth]
display.visualizations.mapping.drilldown = [all|none]
display.visualizations.mapping.map.center = (<decimal>,<decimal>)
display.visualizations.mapping.map.zoom = <integer>
display.visualizations.mapping.map.scrollZoom = [0 | 1]
display.visualizations.mapping.map.panning    = [0 | 1]
display.visualizations.mapping.choroplethLayer.colorMode = [auto|sequential|divergent|categorical]
display.visualizations.mapping.choroplethLayer.maximumColor = <string>
display.visualizations.mapping.choroplethLayer.minimumColor = <string>
display.visualizations.mapping.choroplethLayer.colorBins = <integer>
display.visualizations.mapping.choroplethLayer.neutralPoint = <decimal>
display.visualizations.mapping.choroplethLayer.shapeOpacity = <decimal>
display.visualizations.mapping.choroplethLayer.showBorder = [0 | 1]
display.visualizations.mapping.markerLayer.markerOpacity = <decimal>
display.visualizations.mapping.markerLayer.markerMinSize = <integer>
display.visualizations.mapping.markerLayer.markerMaxSize = <integer>
display.visualizations.mapping.legend.placement = [bottomright|none]
display.visualizations.mapping.data.maxClusters = <integer>
display.visualizations.mapping.showTiles = [0 | 1]
display.visualizations.mapping.tileLayer.tileOpacity = <decimal>
display.visualizations.mapping.tileLayer.url = <string>
display.visualizations.mapping.tileLayer.minZoom = <integer>
display.visualizations.mapping.tileLayer.maxZoom = <integer>

# Patterns options
display.page.search.patterns.sensitivity = <decimal>

# Page options
display.page.search.mode = [fast|smart|verbose]
* This setting has no effect on saved search execution when dispatched by the
  scheduler. It only comes into effect when the search is opened in the UI and
  run manually.

display.page.search.timeline.format = [hidden|compact|full]
display.page.search.timeline.scale = [linear|log]
display.page.search.showFields = [0 | 1]
display.page.search.tab = [events|statistics|visualizations|patterns]
# Deprecated
display.page.pivot.dataModel = <string>

Table format settings


# Format options
display.statistics.format.<index> = [color|number]
display.statistics.format.<index>.field = <string>
display.statistics.format.<index>.fields = [<string>(, <string>)*]

# Color format options
display.statistics.format.<index>.scale = [category|linear|log|minMidMax|sharedCategory|threshold]
display.statistics.format.<index>.colorPalette = [expression|list|map|minMidMax|sharedList]

# Number format options
display.statistics.format.<index>.precision = <integer>
display.statistics.format.<index>.useThousandSeparators = <boolean>
display.statistics.format.<index>.unit = <string>
display.statistics.format.<index>.unitPosition = [before|after]

# Scale options for 'category'
display.statistics.format.<index>.scale.categories = [<string>(, <string>)*]

# Scale options for 'log'
display.statistics.format.<index>.scale.base = <integer>

# Scale options for 'minMidMax'
display.statistics.format.<index>.scale.minType = [number|percent|percentile]
display.statistics.format.<index>.scale.minValue = <decimal>
display.statistics.format.<index>.scale.midType = [number|percent|percentile]
display.statistics.format.<index>.scale.midValue = <decimal>
display.statistics.format.<index>.scale.maxType = [number|percent|percentile]
display.statistics.format.<index>.scale.maxValue = <decimal>

# Scale options for 'threshold'
display.statistics.format.<index>.scale.thresholds = [<decimal>(, <decimal>)*]

# Color palette options for 'expression'
display.statistics.format.<index>.colorPalette.rule = <string>

# Color palette options for 'list'
display.statistics.format.<index>.colorPalette.colors = [<hex>(, <hex>)*]
display.statistics.format.<index>.colorPalette.interpolate = <boolean>

# Color palette options for 'map'
display.statistics.format.<index>.colorPalette.colors = {<string>:<hex>(, <string>:<hex>)*}

# Color palette options for 'minMidMax'
display.statistics.format.<index>.colorPalette.minColor = <hex>
display.statistics.format.<index>.colorPalette.midColor = <hex>
display.statistics.format.<index>.colorPalette.maxColor = <hex>

Other settings


embed.enabled = [0 | 1]
* Specifies whether a saved search is shared for access with a guestpass.
* The only acceptable values for this setting are 0 and 1.
* Search artifacts of a search can be viewed using a guestpass only if:
  * A token has been generated that is associated with this saved search.
    The token is associated with a particular user and app context.
  * The user to whom the token belongs has permissions to view that search.
  * The saved search has been scheduled and there are artifacts available.
    Only artifacts are available using guestpass. A search is never dispatched.
  * The saved search is not disabled, it is scheduled.
  * The saved search is not real-time.
  * The saved search is not an alert.

defer_scheduled_searchable_idxc = <boolean>
* Specifies whether to defer a continuous saved search during a searchable
  rolling restart or searchable rolling upgrade of an indexer cluster.
* Note: When disabled, a continuous saved search might return partial results.
* Default: false (disabled)

skip_scheduled_realtime_idxc = <boolean>
* Specifies whether to skip a continuous saved realtime search during a searchable
  rolling restart or searchable rolling upgrade of an indexer cluster.
* Note: When set to false, a continuous saved search might return partial results.
* Default: false (does not skip)

precalculate_required_fields_for_alerts = <boolean>
* Specifies whether to precalculate the required fields from the alert 
  condition search and use the result in the main search. Giving the required 
  fields to the main search may decrease performance in some cases where the 
  system is bottlenecked on the search scheduler. 
* If "false", the required fields are not precalculated, which may free up the 
  search scheduler and improve performance, but at the cost of potentially more 
  work in the main search. 
* Note: Do not change unless instructed to do so by Splunk Support.
* Default: true

Deprecated settings


sendresults = <boolean>
* Use the 'action.email.sendresult' setting.

action_rss = <boolean>
* Use the 'action.rss' setting.

action_email = <string>
* Use the 'action.email' and 'action.email.to' settings.

role = <string>
* See saved search permissions.

userid = <string>
* See saved search permissions.

query = <string>
* Use the 'search' setting.

nextrun  = <integer>
* Not used anymore. The scheduler maintains this info internally.

qualifiedSearch = <string>
* Not used anymore. Splunk software computes this value during runtime.

savedsearches.conf.example

#   Version 9.3.1
#
# This file contains example saved searches and alerts.
#
# To use one or more of these configurations, copy the configuration block into
# savedsearches.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
# to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles


# The following searches are example searches.  To create your own search,
# modify the values by following the spec outlined in savedsearches.conf.spec.


[Daily indexing volume by server]
search = index=_internal todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log NOT source=*web_access.log | eval Daily
_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host
dispatch.earliest_time = -7d

[Errors in the last 24 hours]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1d

[Errors in the last hour]
search = error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
dispatch.earliest_time = -1h

[KB indexed per hour last 24 hours]
search = index=_internal metrics group=per_index_thruput NOT debug NOT sourcetype=splunk_web_access | timechart fixedrange=t span=1h
 sum(kb) | rename sum(kb) as totalKB
dispatch.earliest_time = -1d

[Messages by minute last 3 hours]
search = index=_internal eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m s
um(events) by series
dispatch.earliest_time = -3h

[Splunk errors last 24 hours]
search = index=_internal " error " NOT debug source=*/splunkd.log*
dispatch.earliest_time = -24h

[stats with durable search]
search = index=_internal eps | stats avg(eps) as avg, max(eps) as max, min(eps) as min
dispatch.indexed_earliest = -30m
dispatch.indexed_latest   = now

durable.track_time_type   = _indextime
durable.lag_time          = 60
durable.backfill_type     = time_interval
durable.max_backfill_intervals = 100

Last modified on 12 September, 2024
rolling_upgrade.conf   searchbnf.conf

This documentation applies to the following versions of Splunk® Enterprise: 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters