savedsearch

Description

Runs a saved search, or report, and returns the search results of a saved search. If the search contains replacement placeholder terms, such as $replace_me$, the search processor replaces the placeholders with the strings you specify. For example:

|savedsearch mysearch replace_me="value"

Syntax

| savedsearch <savedsearch_name> [<savedsearch-options>...]

Required arguments

savedsearch_name

Syntax: <string>

Description: Name of the saved search to run.

Optional arguments

savedsearch-options

Syntax: <substitution-control> | <replacement>

Description: Specify whether substitutions are allowed. If allowed, specify the key-value pair to use in the string substitution replacement.

substitution-control

Syntax: nosubstitution=<bool>

Description: If true, no string substitution replacements are made.

Default: false

replacement

Syntax: <field>=<string>

Description: A key-value pair to use in string substitution replacement.

Usage

The savedsearch command is a generating command and must start with a leading pipe character.

The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command.

Time ranges

• If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search.

• If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.

Examples

Example 1

Run the saved search "mysecurityquery".

| savedsearch mysecurityquery

Example2

Run the saved search "mysearch". Where the replacement placeholder term $replace_me$ appears in the saved search, use "value" instead.

|savedsearch mysearch replace_me="value"...

See also

search, loadjob