How Saved Searches Work
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0
How Saved Searches Work
- Saved searches are search strings that have been saved for re-use.
- Saved searches may be scheduled and rules may be set to generate alerts. Learn more about setting up alerts.
- Saved searches may be saved to share or be saved as private. Shared and personally owned saved searches appear on the landing page:
Set Up Saved Searches via SplunkWeb
- Refine the search until you consider it worthy.
- Click on the drop-down arrow next to the search bar:
- Select Save search...
- Give your saved search a name.
- Select the radio button Share with all users to yes if you want to share your saved search.
Please note: You can optionally schedule the Saved Search to run on a schedule by specifying either a basic or cron schedule. Saved searches for alerts usually have a time range specified, you can set your time range using modifiers like daysago:1 or starthoursago:4. See the search reference for more. You can also find a reference on cron schedules on this page.
- Click the Save button to add the Saved Search.
You can edit saved searches at any time by clicking on the Admin link in the upper right hand corner, and then selecting the Saved Searches tab:
Configuration files for saved searches and alerts
Saved searches are defined in savedsearches.conf. However, most modifications can be done through SplunkWeb.
You may wish to share saved searches via SplunkBase, or distribute them as bundles to other systems in your data center. Learn more about bundle files.