Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Set up saved searches via savedsearches.conf

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Set up saved searches via savedsearches.conf

Configure saved searches with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Make any changes in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.


To turn your saved search into an alert, see set up alerts via savedsearches.conf.


Configuration

Edit $SPLUNK_HOME/etc/system/local/savedsearches.conf to create a saved search. A savedsearches.conf stanza looks like: 


[<Splunk name>]
attribute1 = val1 
attribute2 = val2

There are several attribute/value pairs available for savedsearches.conf. The following pairs may be used to create a saved search.


search = <string>

  • Actual query terms of the saved search.
    • For example index::sampledata http NOT 500.
  • Your query can include macro searches for substition.
  • To create a macro search, read the documentation on macro search.

role = <string>

  • Role (from authorize.conf that this saved search is shared with.
  • Anyone that is a member of that role will see the saved search in their dashboard.

userid = <integer>

  • UserId of the user who created this saved search.
    • Splunk needs this information to log who ran the search, and create editing capabilities in Splunk Web.
  • Possible values: Any Splunk user ID.
  • User IDs are found in $SPLUNK_HOME/etc/passwd.
    • Look for the first number on each line, right before the username.
    • For example 2:penelope....

Example

This example search is called j_client_ip and runs the search host="j_apache" | top limit=100 clientip. It's shared with the Admin role -- role is set to 'Admin.' 


[j_client_ip]
search = host="j_apache"  | top limit=100 clientip
role = Admin
userid = 1

Note: In versions 3.2 and above, saved searches set to run on a schedule don't show a nextrun time in savedsearches.conf.

Retrieved from "http://www.splunk.com/base/Documentation/3.3.1/Admin/SetUpSavedSearchesViaSavedsearchesconf"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.