Docs » Splunk Log Observer » Save and share Log Observer queries

Save and share Log Observer queries 🔗


Only customers with a Splunk Log Observer entitlement in Splunk Observability Cloud can save and share Log Observer queries. If you do not have a Log Observer entitlement and are using Splunk Log Observer Connect instead, see Introduction to Splunk Log Observer Connect to learn what you can do with the Splunk Enterprise integration.

After you create useful queries in Log Observer, you can save them and share them with team members. You can only save or share queries on the Observability Cloud data index. A saved query is made up of a filter and any aggregations or search-time rules you applied during the search. You can only save a query if you have created a filter.

To learn how to create filters, see Search logs by keywords or fields. Log Observer Connect has no default aggregation. Log Observer defaults to All (*)` logs grouped by Severity. To learn how to create a unique aggregation, see Group logs by fields using log aggregation. To learn how to create search-time rules, see Apply processing rules across historical data.


All organizations have access to pre-defined queries for Kubernetes and Cassandra. These queries appear at the beginning of the list of saved queries and are a part of content packs. Content packs include pre-defined saved queries as well as log processing rules. Splunk Observability Cloud includes content packs for Kubernetes System Events and Cassandra.

You can also download the results of a query as a CSV or JSON file. See Export query results as a CSV or JSON file to learn how.

Save a Log Observer query 🔗

To create a query, follow these steps:

  1. In the control bar, select the desired time increment from the time picker, then in the Index field, select Observability Cloud data. Click Add Filter, then enter a keyword or field.

  2. To override the default aggregation, follow these steps:

    1. Using the calculation control, set the calculation type you want from the drop-down list. The default is Count.

    2. Select the field that you want to aggregate by.

    3. In the Group by text box, type the name of the field you want to group by.

    4. Click Apply.

  3. Click the Save menu icon, then select Save Query from the drop-down list. The Save Query dialog box appears.

  4. In the Name text box, enter a name for your query.

  5. Optionally, you can describe the query in the Description text box.

  6. Optionally, in the Tags text box, enter tags to help you and your team locate the query. Log Observer stores tags you’ve used before and auto-populates the Tags text box as you type.

  7. To save this query as a public query, click Filter sharing permissions set to public. When you save a query as a public query, any user in your organization can view and delete it in Log Observer.

Use Log Observer saved queries 🔗

You can view, share, set as default, or delete saved queries in the Saved Queries catalog. To access the Saved Queries catalog, in the control bar click Saved Queries.

The following table lists the actions you can take in the Saved Queries catalog.

Desired action


Find a saved query

Type the name or tags for a saved filter into the search box.

View or apply a saved query

Click Apply to the right of the query you want to view.

Set a saved query as the default

Click the More icon for the query, then select Make default query on page load.

Change the current default saved query

Click the More icon for the query, then select Unset as default query, then click Confirm. Next, set the new default query.

Delete a saved query from your Saved Queries catalog

Click the More icon for the query, then select Delete Query.


If you set a saved query as default, Log Observer displays the result of that query on launch.

Export query results as a CSV or JSON file 🔗

You can download a maximum of 10,000 logs at a time, even if your query returned more than 10,000 logs.

To export query results, follow these steps:

  1. Click Download at the top of the Logs table.

  2. Enter a name for your file.

  3. Select CSV or JSON.

  4. Click Download.