Set up saved searches

Set up saved searches

You can set up saved searches via SplunkWeb or via savedsearches.conf.

via SplunkWeb

• Refine the search until you consider it worthy.
  • Test your searches before you save them.
  • Saved searches for alerts usually have a time range specified, you can set your time range using modifiers like daysago:1 or starthoursago:4. See the search reference.
  • Saved searches may include reports, as well.
  • Note: Many complex, long running searches may slow down your Splunk instance. Make sure you optimize your searches before saving them in a saved search.
• Click on the drop-down arrow next to the search bar:

• Select Save search...
• Give your saved search a name.
• Select the radio button Share with all users to yes if you want to share your saved search.
• Click the Save button to add the Saved Search.

You can edit saved searches at any time by clicking on the Admin link in the upper right hand corner, and then selecting the Saved Searches tab:

Schedule a saved search

You can optionally schedule your Saved Search to run on a schedule by clicking the Schedules & Alerts link.

• Click Run this search on a schedule to enable scheduling.
• Pick from the drop-down next to Run every or click Advanced scheduling to specify a cron schedule for your search.
• Set Alerts to always and enter your email address if you want to receive a scheduled report via email.
  • You can also create an RSS feed.

Image:Setupsavedsearches-schedulenocron.jpg

via configuration files

Saved searches are defined in savedsearches.conf. Any options you set through SplunkWeb will be written out to this file. You may also edit savedsearches.conf using the parameters specified in $SPLUNK_HOME/etc/bundles/README/savedsearches.conf.spec.

Configuration

Edit $SPLUNK_HOME/etc/bundles/local/savedsearches.conf to create a Saved Search. A savedsearches.conf stanza will look like:

[<Splunk name>]
attribute1 = val1 
attribute2 = val2

There are several attribute/value pairs available in savedsearches.conf. The following pairs may be used to create a Saved Search.

[<stanza name>]
	* Name of the saved search stanza.
query = <string>
	* Actual query terms of the saved search.
	* For example index::sampledata http NOT 500
isglobal = <integer>
	* Toggle whether this saved search is shared with all users.
	* If isglobal is set to 1, everyone can see/use this saved search.
	* If set to 0, only the user who created the saved search can see it.
name = <string>
	* Actual displayed name of the saved search.
	* This will show in SplunkWeb, and you can search savedsearch=<string>.

alerting options

To turn on alerting options via savedsearches.conf use the following attribute/value pairs:

counttype = <string>
    * Set the type of count for alerting.
    * Possible values:  number of events, number of hosts, number of sources, number of sourcetypes.
        
relation = <string>
    * How to compare against counttype.
    * Possible values:  greater than, less than, equal to, drops by, rises by.
quantity = <integer>
    * Number to compare against the given counttype.
schedule = <string>
    * Cron style schedule (i.e. */12 * * * *).
action_script = <string>
    * Your search can trigger a shell script.
    * Specify the name of the shell script to run.
    * Place the script in $SPLUNK_HOME/bin/scripts.
   	* Command line arguments passed to the script are:
		# $1 - number of events returned when search run.
		# $2 - searched terms saved at the time saved search was created.
		# $3 - fully qualified query string, the way query is run internally.
		# $4 - saved search name.
		# $5 - trigger reason for the alert.
		# $6 - encoded http link to the saved search results.
		# $7 - tags that have been saved against this saved search, if there are any. 
		# $8 - file where the results for this search are stored (contains raw results).
		# value - file script name.
action_rss = <integer> 
    * Toggle whether or not to create an RSS link.
    * Possible values: 1/0 (1 to create, 0 to disable).
action_email = <string>
    * Comma delimited list of email addresses to send alerts to.
sendresults = <integer>
    * Whether or not to send the results along with the email/shell script.
    * Possible values: 1/0 (1 to send, 0 to disable).

display options

You can also set the display options for your saved search in savedsearches.conf. Here are the possible attribute/value pairs:

viewstate.resultView = reportView
	* The UI state for a saved search.
	* Can be either normalView or reportView.
	* normalView returns the SplunkWeb search interface.
	* reportView returns the report interface.
viewstate.chart.plotMode = column
	* Set the plot mode for a chart returned by a saved search.
	* Only valid when viewstate.resultView == reportView
	* Possible values:  area,  axis,  bubble, column, donut, heatmap, legend, line, pie, scatte,
	stackedarea, stackedcolumn.
viewstate.prefs.selectedKeys = source host sourcetype
	* Space-delimited list of field to use. 
	* Always auto-generated, but can be edited after the fact to include new fields.

Example

[j_client_ip]
action_rss = 0
disabled = false
enableSched = 0
isGlobal = 0
query = host::j_apache  | top limit=100 clientip
sendresults = 0

The above search is called j_client_ip and runs the query host::j_apache | top limit=100 clientip. It has not been turned into an alert -- action_rss , enableSched and sendresults are all set to '0.' It has not been shared -- isGlobal is set to '0.'