Solved: How to create a saved search?

bnorthway · ‎05-28-2015

I want to learn how to create a saved search - as appears in savesearches.conf. My end goal is to use a saved search to populate a lookup table.

Apparently, there is no documentation (I searched the docs for "saved search" -- no results) so I wondered if anyone knows how to do this. In the Search app, I see the link "Save As", but it looks like I can only save a Report, Dashboard Panel, Alert, or Event Type. Are those all saved searches? I saved a search, but savedsearches.conf was not modified.

arkadyz1 · ‎05-28-2015

Save as Report creates a saved search.

savedsearches.conf is created/modified in etc/apps/your_app/local folder, where your_app is the application context where you created and saved the search. In your case, it's most probably search. So look in $SPLUNK_HOME/etc/apps/search/local.

View solution in original post

arkadyz1 · ‎05-28-2015

Save as Report creates a saved search.

savedsearches.conf is created/modified in etc/apps/your_app/local folder, where your_app is the application context where you created and saved the search. In your case, it's most probably search. So look in $SPLUNK_HOME/etc/apps/search/local.

bnorthway · ‎05-28-2015

Ahh yes and in Settings -> Searches, reports, and alerts, if the permissions are set to "Private", the search goes to etc/users/<user>/search/local/savedsearches.conf instead. Thank you!

How to create a saved search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms