Save and share Log Observer Connect queries 🔗
After you create useful queries in Log Observer Connect, you can save them and share them with team members. A saved query is made up of a filter and any aggregations or search-time rules you applied during the search. You can only save a query if you have created a filter.
To learn how to create filters, see Search logs by keywords or fields. Log Observer Connect has no default aggregation. To learn how to create a unique aggregation, see Group logs by fields using log aggregation.
Note
All organizations have access to pre-defined queries for Kubernetes and Cassandra. These queries appear at the beginning of the list of saved queries and are a part of content packs. Content packs include pre-defined saved queries as well as log processing rules. Splunk Observability Cloud includes content packs for Kubernetes System Events and Cassandra.
You can also download the results of a query as a CSV or JSON file. See Export query results as a CSV or JSON file to learn how.
Prerequisites 🔗
To save and share Log Observer Connect queries, you must have an administrator or power user role.
Save a Log Observer Connect query 🔗
To create and save a query, follow these steps:
In the control bar, select the desired time increment from the time picker, then in the Index field, select the index you want to search. Select Add Filter, then enter a keyword or field.
To set an aggregation, follow these steps:
Using the calculation control, set the calculation type you want from the list. The default is Count.
Select the field that you want to aggregate by.
In the Group by text box, enter the name of the field you want to group by.
Select Apply.
Select the Save menu icon, then select Save Query from the list. The Save Query dialog box appears.
In the Name text box, enter a name for your query.
Optionally, you can describe the query in the Description text box.
Optionally, in the Tags text box, enter tags to help you and your team locate the query. Log Observer Connect stores tags you’ve used before and auto-populates the Tags text box.
To save this query as a public query, select Filter sharing permissions set to public. When you save a query as a public query, any user in your organization can view and delete it in Log Observer Connect.
Use Log Observer Connect saved queries 🔗
You can view, share, set as default, or delete saved queries in the Saved Queries catalog. To access the Saved Queries catalog, in the control bar enter Saved Queries.
The following table lists the actions you can take in the Saved Queries catalog.
Desired action |
Procedure |
---|---|
Find a saved query |
Enter the name or tags for a saved filter into the search box. |
View or apply a saved query |
Select Apply next to the query you want to view. |
Set a saved query as the default |
Select the More icon for the query, then select Make default query on page load. |
Change the current default saved query |
Select the More icon for the query, then select Unset as default query, then select Confirm. Next, set the new default query. |
Delete a saved query from your Saved Queries catalog |
Select the More icon for the query, then select Delete Query. |
Note
If you set a saved query as default, when you open Log Observer Connect, it displays the result of that query.
Export query results as a CSV or JSON file 🔗
You can download a maximum of 10,000 logs at a time, even if your query returned more than 10,000 logs.
To export query results, follow these steps:
Click Download at the top of the Logs table.
Enter a name for your file.
Select CSV or JSON.
Click Download.
Note
Use Open in Splunk Platform if the logs are stored in Splunk Cloud Platform or Splunk Enterprise. You cannot export logs directly when using Log Observer Connect.
This page was last updated on Oct 03, 2024.