Set up saved searches via savedsearches.conf

Set up saved searches via savedsearches.conf

Configure saved searches with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Make any changes in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

To turn your saved search into an alert, see set up alerts via savedsearches.conf.

Configuration

Edit $SPLUNK_HOME/etc/system/local/savedsearches.conf to create a saved search. A savedsearches.conf stanza looks like:

[<Splunk name>]
attribute1 = val1 
attribute2 = val2

There are several attribute/value pairs available for savedsearches.conf. The following pairs may be used to create a saved search.

search = <string>

• Actual query terms of the saved search.
  • For example index::sampledata http NOT 500.
• Your query can include macro searches for substition.
• To create a macro search, read the documentation on macro search.

role = <string>

• Role (from authorize.conf that this saved search is shared with.
• Anyone that is a member of that role will see the saved search in their dashboard.

Example

This example search is called j_client_ip and runs the search host="j_apache" | top limit=100 clientip. It's shared with the Admin role -- role is set to 'Admin.'

[j_client_ip]
role = Admin
search = host="j_apache"  | top limit=100 clientip

Note: In versions 3.2 and above, saved searches set to run on a schedule don't show a nextrun time in savedsearches.conf.