This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Saved searches are the most common developer configuration -- use them as a shortcut to common searches. All your dashboards and form searches will be built on saved searches, so familiarize yourself with Splunk's search language, create some searches that highlight the important aspects of your data and then integrate them into your dashboards.
Dashboards help you highlight saved searches in the form of charts, graphs and links. So figure out what your app users are trying to do, and how you can facilitate their goals with saved searches. Then, add your saved searches to your dashboards and view collections.
Example: You're building an app to highlight your site's web traffic. You can make saved searches following referrer URIs, tracking download stats, or with any data available in your web logs.
If you've never worked with Splunk's search language before, read the User Manual section on how to search and investigate. Build your searches to highlight the most relevant aspects of your data and support your app user's end goals. So if you're building a helpdesk app, figure out what your team will need to get out of your app. Then build searches that collect this information and present it to them in a useful way.
Once you've decided what you want your searches to look like, save them to run again. You can save searches from Splunk Web or within Splunk Manager, or create a savedsearches.conf in your app's directory. As an app developer, the best way to create a saved search is through Splunk Manager, within your app's context:
1. Pick your app from the drop-down in the upper left-hand corner of Splunk Web.
2. Then click on the Manager link in the upper right-hand corner.
3. Pick the App Configurations tab. These are all the configurations that can be targeted at an app. You can create a saved search or event type. Or edit views, navs or search commands.
4. Build a new saved search, then save it. It will exist in the saved search page for that app and it will belong to you:
http://localhost:8000/en-US/manager/<app_name>/saved/searches
(Replace localhost:8000 with your Splunk host and installation port).
When you first create a saved search via Splunk Manager (or Splunk Web) it is added to your user directory in $SPLUNK_HOME/etc/users/. Saved searches belong to an app when they are in that app's directory, specifically in $SPLUNK_HOME/etc/apps/<app_name>/default/savedsearches.conf.
To share a saved search with all app users, or to add it to the app name space, set permission on that search:
1. Navigate to the saved searches page in your app in Splunk Manager.
2. Locate your saved search in the list view and click the Permissions link next to it.
3. Click the box to Share saved search. This moves the search from your user directory to the app's directory.
4. Optionally set read/write permissions for users in the access control list.