USAGE OF SPLUNK COMMANDS: SAVEDSEARCH
Usage of savedsearch command:
“savedsearch” command is used to show the results from any saved searches (Reports, Alerts etc.)
It is a generating command which must start with a leading pipe (please clock on the link to know more about types of commands in splunk.
The savedsearch command always runs a new search.
Syntax of savedsearch command:
| savedsearch <savedsearch_name> [<savedsearch-options>…]
savedsearch_name : Name of the saved search to run
savedsearch-options
substitution-control: nosubstitution=<bool>: It is used to substitute any string . (eg: nosubstitution= true| false).The default value is false.
Replacement :<field>=<string> : It is used to replace $string$ with the string or value you want.
Example: 1
Step: 1
First, log in to your Splunk instance using your credentials.
Here, we will show you how we are using “savedsearch” command to get the result from a report.
Step: 2
Click on the “Search & Reporting” option.
Step: 3
Please, see the below query, we have used to create the report.
index=_internal sourcetype=splunkd_ui_access | stats count by method
Explanation:
Here, we have used “_internal” index and “splunkd_ui_access” sourcetype.
|stats count by method -> To get the count of method field values.
Step: 4
Click on the “Save As” option and then click on the “Report” option to save it as a report.
We have given the name “Test_Report” to this report and then clicked on the “Save” option to save it as a report.
Step: 5
Now, click on the “View” option to view the report.
Step: 6
As, you can see in the below image the report “Test_Report” is saved and showing the result of “Last 15 minutes”
Step: 7
Explanation:
As, we have mentioned in the Syntax part of “savedsearch”
Command, we have used here, “| savedsearch Test_Report” and it’s showing the resultset of the query, we have saved in that report.
NOTE: While using the “savedsearch” command if you if you specify “All Time” in the time range picker, the command uses the time range that was saved while creating the saved search. But, if you specify any other time in the time range picker except “All Time”, the time range that you have specified while using the “savedsearch” command overrides the time range that was saved with the saved search. (As, you can see, we have selected here “Last 24 hours” in the “Time Range Picker”, while the “Test Report” we saved with the time range “Last 15 minutes”)
Example: 2
Step: 1 and Step: 2 are the same as Example: 1
Step: 3
Please, see the below query we have used to create a report.
index=_internal sourcetype=splunkd_ui_access method=$method$ | stats count by method
Explanation:
Here, we have used “_internal” index and “splunkd_ui_access” sourcetype.
method=$method$ -> currently because of using this our search will not give any result as method field does not contain any value like $method$.
But this $method$, we will use as a variable, while using the “savedsearch” command.
|stats count by method -> To get the count of method field values.
Step: 4
Click on the “Save As” option and then click on the “Report” option to save it as a report.
Step: 5
We have given the name “Test_Report_2” to this report and then clicked on the “Save” option to save it as a report.
Step: 6
Now, click on the “View” option to view the report.
Step: 7
If you will see the below image, you can understand the report did not return any result because of the query we have used to create the report. [Please see Step: 3 of Example: 2]
Step: 8
Explanation:
| savedsearch Test_Report_2 -> to see the result set of the “Test_Report_2” report.
nosubstitution=false -> It is false by default. It is used if you want to substitute any string of the query used to create the report. (or any other savedsearch like alerts etc.)
method=GET -> If you will see the query of the “Test_report”, we have used a variable string like this method=$method$, so that while using the command “savedsearch”, we can use any value of method field in the place of $method$, here, we have used “GET” and also we are getting the count of “GET”.
NOTE: Here we have used non-scheduled report, but you can use “savedsearch” command for scheduled reports as well or any scheduled savedsearchs like In Example: 3, we will show you using “savedsearch” command to get the data from an Alert.
Example: 3
Please see the below query which we have used to create an Alert named “Test_Alert”
index=_audit | stats count by info
As, you can see in the below image we have the Alert named “Test_Alert” in the Alert section, where we have used the above query.
Explanation:
As you can see in the above image we have used “| savedsearch Test_Alert” to get the resultset from the Alert “Test_Alert”.
Happy Splunking !!
