<Back |Home| Next >
Understanding savedsearches in splunk
savedsearch on splunk
You can save any
search query you created in splunk. A saved search can be used later for re running the search, fetch reports, create alerts, or dashboard panels.
How to create a saved search?
Creating a saved search is very simple. You just have to create query and run it. After that you have to just click on save as option.You can select how you want to search the search query.You can select appropriate option you want. By default saved search have read/write permission to its creator.You can change its permission if needed.You can view all saved searches and its permissions by clicking on SETTINGS >> SEARCHES AND REPORTS as shown below
Saving saved search:
How to create a saved search?
Creating a saved search is very simple. You just have to create query and run it. After that you have to just click on save as option.You can select how you want to search the search query.You can select appropriate option you want. By default saved search have read/write permission to its creator.You can change its permission if needed.You can view all saved searches and its permissions by clicking on SETTINGS >> SEARCHES AND REPORTS as shown below
Saving saved search:
How do I Delete, Edit, or Rename a saved search ?
To edit or delete a saved search, you need to use Splunk Manager. Go to the Manager link at the upper right-hand side of the Splunk page and click it if you're unfamiliar with it. Then click on theSearches and Reports link to see a list of all of the saved searches that you have either created or have been given permission to view and/or edit. Click on the name of the search you created; you should be taken to a details page, and if you have the correct permissions, you should be able to edit it there and save your changes.
Permissions are important, especially when it comes to deleting saved searches and other knowledge objects (as well as editing them). Here are the rules that control whether or not you can delete a saved search in Manager:
· You cannot delete default knowledge objects that were delivered with Splunk (or with the app) via Manager. If the knowledge object definition resides in the app's default directory, it can't be removed via Manager. It can only be disabled (by clicking Disable). Only objects that exist in an app's "local" directory are eligible for deletion.
· You can delete knowledge objects that you have created, and which haven't been shared. Once a knowledge object you've created is shared with other users, your ability to delete it is revoked, unless you have write permissions for the app to which they belong (see the next point).
· To delete all other knowledge objects, you need to have write permissions for the application to which they belong.This applies to knowledge objects that are shared globally as well as those that are only shared within an app--all knowledge objects belong to a specific app, no matter how they are shared. App-level write permissions are usually only granted to users with admin-equivalent roles.
How to configure alerting using saved search?
http://www.learnsplunk.com/how-to-configure-alerts-in-splunk.html to see steps
How splunk works in background when we create a saved search?
Splunk saves all savedsearch searches and its configuration like its purpose (report,alert etc),schedule and alert config in savedsearches.conf
Savedsearch default location:
$SPLUNK_HOME/etc/system/local/
Savedsearches.conf example:
----------------------------------------------------------------------------------
[saved search name]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index=* source search_id='rt*' | transaction search_id | table timestamp search_id search total_run_time result_count user
-------------------------------------------------------------------------------------------------------------------------------------
Understanding savedsearches.conf configuration:
action.email = 0 | 1 #Enables or disables the email action
action.email.reportServerEnabled = 0 #enables or disables report server
alert suppress #setting for suppressing alert
dispatch time # schedule search schedule time settings
Search #paste your search string here
How to Reload saved searches.conf without restarting splunk?
Use debug refresh to reload the savedsearch.conf changes
http(s)://yoursplunkhost:8000/debug/refresh
How get list of all saved searches?
| rest /servicesNS/-/-/saved/searches splunk_server=local
How to list scheduled searches last run status?
index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name
Comment Box is loading comments...