Splunk Cloud Platform

Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

savedsearch

Description

Runs a saved search, or report, and returns the search results of a saved search. If the search contains replacement placeholder terms, such as $replace_me$, the search processor replaces the placeholders with the strings you specify. For example:

|savedsearch mysearch replace_me="value"

Syntax

| savedsearch <savedsearch_name> [<savedsearch-options>...]

Required arguments

savedsearch_name
Syntax: <string>
Description: Name of the saved search to run.

Optional arguments

savedsearch-options
Syntax: <substitution-control> | <replacement>
Description: Specify whether substitutions are allowed. If allowed, specify the key-value pair to use in the string substitution replacement.
substitution-control
Syntax: nosubstitution=<bool>
Description: If true, no string substitution replacements are made.
Default: false
replacement
Syntax: <field>=<string>
Description: A key-value pair to use in string substitution replacement.

Usage

The savedsearch command is a generating command and must start with a leading pipe character.

The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command.

Time ranges

  • If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search.
  • If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.

Examples

Example 1

Run the saved search "mysecurityquery".

| savedsearch mysecurityquery

Example2

Run the saved search "mysearch". Where the replacement placeholder term $replace_me$ appears in the saved search, use "value" instead.

|savedsearch mysearch replace_me="value"...

See also

search, loadjob

Last modified on 22 July, 2020
PREVIOUS
run 		  NEXT
script

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012, 8.1.2011, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.2.2109

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters