"This website is not affiliated with Splunk, Inc. and is not an authorized seller of Splunk products or services."
  • Home - Splunk Tutorial
  • Splunk training videos
  • Splunk interview questions
  • Contact US
  • About Us
  • Privacy Policy
  • Splunk Jobs

                                                                                                                                                                                                                                  <Back |Home| Next  >

Understanding savedsearches in splunk

Picturesavedsearch on splunk
 You can save any search query you created in splunk. A saved search can be used  later for re running the search, fetch   reports, create  alerts, or dashboard panels.

How to create a saved search?

Creating a saved search is very simple. You just have to create query and run it. After that you have to just click on save as option.You can select how you want to search the search query.You can select appropriate option you want. By default saved search have read/write permission to its creator.You can change its permission if needed.You can view all saved searches and its permissions by clicking on SETTINGS >> SEARCHES AND REPORTS as shown below


Saving saved search:


Picture


How do I Delete, Edit, or Rename a saved search ?

To edit or delete a saved search, you need to use Splunk Manager. Go to the Manager link at the upper right-hand side of the Splunk page and click it if you're unfamiliar with it. Then click on theSearches and Reports link to see a list of all of the saved searches that you have either created or have been given permission to view and/or edit. Click on the name of the search you created; you should be taken to a details page, and if you have the correct permissions, you should be able to edit it there and save your changes.

Permissions are important, especially when it comes to deleting saved searches and other knowledge objects (as well as editing them). Here are the rules that control whether or not you can delete a saved search in Manager:

·         You cannot delete default knowledge objects that were delivered with Splunk (or with the app) via Manager. If the knowledge object definition resides in the app's default directory, it can't be removed via Manager. It can only be disabled (by clicking Disable). Only objects that exist in an app's "local" directory are eligible for deletion.

·         You can delete knowledge objects that you have created, and which haven't been shared. Once a knowledge object you've created is shared with other users, your ability to delete it is revoked, unless you have write permissions for the app to which they belong (see the next point).

·         To delete all other knowledge objects, you need to have write permissions for the application to which they belong.This applies to knowledge objects that are shared globally as well as those that are only shared within an app--all knowledge objects belong to a specific app, no matter how they are shared. App-level write permissions are usually only granted to users with admin-equivalent roles.

 

How to configure alerting using saved search?


http://www.learnsplunk.com/how-to-configure-alerts-in-splunk.html to see steps

How splunk works in background when we create a saved search?

Splunk saves all savedsearch searches and its configuration like its purpose (report,alert etc),schedule and alert config in savedsearches.conf

Savedsearch default location:

$SPLUNK_HOME/etc/system/local/

Savedsearches.conf example:

----------------------------------------------------------------------------------

[saved search name]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index=* source search_id='rt*' | transaction search_id | table timestamp search_id search total_run_time result_count user


-------------------------------------------------------------------------------------------------------------------------------------

 

Understanding savedsearches.conf configuration:

action.email = 0 | 1     #Enables or disables the email action

action.email.reportServerEnabled = 0  #enables or disables report server

alert suppress  #setting for suppressing alert

dispatch time # schedule search schedule time settings

Search #paste your search string here

How to Reload saved searches.conf without restarting splunk?

Use debug refresh to reload the savedsearch.conf changes

http(s)://yoursplunkhost:8000/debug/refresh

 

How get list of all saved searches?

| rest /servicesNS/-/-/saved/searches splunk_server=local

How to list scheduled searches last run  status?

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name


                                                                                                                                                                                                                  <Back |Home| Next  >
Comment Box is loading comments...
Powered by Create your own unique website with customizable templates.