Runs a saved search, or report, and returns the search results of a saved search. If the search contains replacement placeholder terms, such as $replace_me$, the search processor replaces the placeholders with the strings you specify. For example:
|savedsearch mysearch replace_me="value"
| savedsearch <savedsearch_name> [<savedsearch-options>...]
- Syntax: <string>
- Description: Name of the saved search to run.
- Syntax: <substitution-control> | <replacement>
- Description: Specify whether substitutions are allowed. If allowed, specify the key-value pair to use in the string substitution replacement.
- Syntax: nosubstitution=<bool>
- Description: If true, no string substitution replacements are made.
- Default: false
- Syntax: <field>=<string>
- Description: A key-value pair to use in string substitution replacement.
savedsearch command is a generating command and must start with a leading pipe character.
savedsearch command always runs a new search. To reanimate the results of a previously run search, use the
savedsearch command runs a saved search, the command always applies the permissions associated with the role of the person running the
savedsearch command to the search. The
savedsearch command never applies the permissions associated with the role of the person who created and owns the search to the search. This happens even when a saved search has been set up to run as the report owner.
See Determine whether to run reports as the report owner or user in the Reporting Manual.
- If you specify All Time in the time range picker, the
savedsearchcommand uses the time range that was saved with the saved search.
- If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.
Run the saved search "mysecurityquery".
| savedsearch mysecurityquery
Run the saved search "mysearch". Where the replacement placeholder term $replace_me$ appears in the saved search, use "value" instead.
|savedsearch mysearch replace_me="value"...
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!