Save searches and share search results

Save searches and share search results

After entering a search that returns interesting results, you can either save the search string (to run the search later) or the search results (to review the results later).

You can share the search results with others by exporting the results to a csv, xml, or html file, or by providing a URL that links the recipient to the search job directly.

Create a saved search

If you want to create a new saved search you have a set of options:

• You can quickly save a completed or finalized ad-hoc search by selecting Save search from the Actions menu.
• You can create a new saved search in Manager. Start by navigating to the Saved Searches and Reports page in Splunk Manager. Click the Manager link in the upper right-hand corner of the screen. When you get to the Manager main page, click Searches and reports. Once you get to the Searches and reports page, click New to enter a new saved search. Keep in mind that you'll need to be able to enter the string for the search that you want to save--it won't be entered for you.
• You can also create a new saved search by manually adding it to the savedsearches.conf configuration file. See the savedsearches.conf spec and example files for more information about how to do this.

At minimum, a saved search includes the search string and the time range associated with the search, as well as the name of the search (this is what appears in Searches & Reports after the search is saved). When you run the saved search, Splunk creates a new search job using the search string and time range that you defined for the search.

Note: You can change the navigation rules for the Search App so that searches are saved to a default location in the top-level navigation other than Searches & Reports. For more information, see "Managing saved search navigation", below.

Schedule saved searches and set up alerts

When you save a search you can arrange for it to run on a schedule and set up alert conditions for it. This means, for example, that you could have the results of the search be sent to you (or others) via email or RSS when certain conditions are met in the scheduled run of a search.

For more information about scheduling searches and setting up alerts, see the topic "Monitor recurring situations" in this manual.

Share saved searches with other users

When you first save a search, it can only be seen and used by you, and is associated with the app running when you saved the search. To learn how to share a saved search with other users and share the search so it can be used in other Splunk apps, see "Share and promote Splunk knowledge objects" in this manual.

Save charts and reports

It's important to note that saved searches do not include chart formatting parameters. If your search includes reporting commands, and you want the chart that the search produces to include custom formatting (so that it displays a pie chart rather than the default bar chart and has specific text for the title, x-axis, and y-axis, for example) be sure to save it as a report from the Report Builder. If you save it as a search, any formatting you set up for the chart in the report builder will be lost. This is especially important if you intend to display the chart in a specific way on a dashboard.

For more information, see "Save reports and share them with others" and "Create simple dashboards with the visual dashboard editor" in this manual.

Save the results of a search

Saving the results of a search is different from saving the search itself. You do this when you want to be able to review the outcome of a particular run of a search at a later time. The search can be a saved search or an ad-hoc search. When you do this, you're saving a search job, which you can access later through the Job Manager.

To do this, select Save results from the Actions dropdown menu after you run a search with results you'd like to examine or work with later.

For more information on managing search jobs through the Job Manager, see "Supervise your search jobs" in this manual.

Share search results

If you would like to share search results with others, you have a couple of options.

• Export the event data to a file. Select Export results... from the Actions dropdown menu, to export the event data from your search to a csv, raw, or xml file. This file can then be archived or used with a third party charting application. Exporting data via Splunk Web limits you to 10,000 results. If you want to export more results, use the CLI splunk export eventdata command. For details on how the CLI works, refer to "About the CLI" in the Admin Manual.
• Get (and share) a link to the results. Select Get link to results... from the Actions dropdown menu to get a URL link to the report results. You can share this link with other interested parties, who can view it as long as they have access to your instance of Splunk.

Note: Selecting Get link to results... automatically saves your search job, which you can access thereafter through the Jobs page. The Get Link to Results popup window enables you to undo this save action.

Managing saved search navigation

When you save a search, it should appear in one of the drop-down lists in the top-level navigation menu. In the Search app, for example, new searches appear in the Searches & Reports list by default.

If you have write permissions for an app, you can change this default location, and even set things up so that searches with particular keywords in their names are automatically placed in specific categories in the navigation menu. For example, Splunk could automatically place saved searches with the word "website" in their name, onto a list of website-related searches in the navigation menu. You can also move searches from the default list to different locations in the top-level navigation menu.

For more information, see "Define navigation for saved searches and reports" in the Knowledge Manager manual and "Customize navigation menus" in the Developer manual.