Docs » Save and share Log Observer queries

Save and share Log Observer queries 🔗

After you create useful queries in Log Observer, you can save them and share them with team members. A saved query is made up of a filter and any aggregations or search-time rules you applied during the search. You can only save a query if you have created a filter.

To learn how to create filters, see Search logs by keywords. The default aggregation is All (*) logs grouped by Severity. To learn how to create a unique aggregation, see Identify problem areas using log aggregation. To learn how to create search-time rules, see Apply processing rules across historical data.

Note

All organizations have access to pre-defined queries for Kubernetes and Cassandra. These queries appear at the beginning of the list of saved queries and are a part of content packs. Content packs include pre-defined saved queries as well as log processing rules. Splunk Observability Cloud includes content packs for Kubernetes System Events and Cassandra.

You can also download the results of a query as a CSV or JSON file. See Export query results as a CSV or JSON file to learn how.

Save a Log Observer query 🔗

To create a query, follow these steps:

  1. In the control bar, click Add Filter, then enter a keyword.

  2. To override the default aggregation, follow these steps:

    1. Using the calculation control, set the calculation type you want from the drop-down list. The default is Count.

    2. Select the field that you want to aggregate by.

    3. In the Group by text box, type the name of the field you want to group by.

    4. Click Apply.

  3. Click the More menu icon, then select Save Query from the drop-down list. The Save Query dialog box appears.

  4. In the Name text box, enter a name for your query.

  5. Optionally, you can describe the query in the Description text box.

  6. Optionally, in the Tags text box, enter tags to help you and your team locate the query. Log Observer stores tags you’ve used before and auto-populates the Tags text box as you type.

  7. To save this query as a public query, click Filter sharing permissions set to public. When you save a query as a public query, any user with access to Log Observer can view and delete it.

Use Log Observer saved queries 🔗

You can view, share, set as default, or delete saved queries in the Saved Queries catalog. To access the Saved Queries catalog, in the control bar click Saved Queries.

The following table lists the actions you can take in the Saved Queries catalog.

Desired action

Procedure

Find a saved query

Type the name or tags for a saved filter into the search box.

View or apply a saved query

Click Apply to the right of the query you want to view.

Set a saved query as the default

Click the More icon for the query, then select Make default query on page load.

Change the current default saved query

Click the More icon for the query, then select Unset as default query, then click Confirm. Next, set the new default query.

Delete a saved query from your Saved Queries catalog

Click the More icon for the query, then select Delete Query.

Note

If you set a saved query as default, Log Observer displays the result of that query on launch.

Export query results as a CSV or JSON file 🔗

You can download a maximum of 10,000 logs at a time, even if your query returned more than 10,000 logs.

To export query results, follow these steps:

  1. Click Download at the top of the Raw Logs table.

  2. Enter a name for your file.

  3. Select CSV or JSON.

  4. Click Download.