Saving and sharing searches for analytics and monitoring

If you find that you must repeatedly perform a particular search, you can save it for future use from the Search tab. You can also use saved searches to monitor data trends with the help of dashboards and notifications that are triggered depending on the threshold set. Saved searches are the building blocks for creating dashboards and notifications.

You can view, manage, and search for saved searches by using the Saved Searches tab.

Saving a search

You can save a search (query) to run again in the future.

To save a search

  1. Navigate to the Search tab and perform a search by providing a search criteria in the search bar.
  2. On the top-right side of your screen, click Save Search .
  3. In the Save Search dialog box, enter the following details:
    • Name: Provide a name to identify the saved search.

      Note

      Names of the saved searches must be unique across users. If you try to save a search with a name that already exists, you get an error.

    • Description: Provide any additional information that you want to add about the saved search.

    • Time Context: The time context of the search that you performed is automatically displayed. To save the search with the same time context, you can leave this selection unchanged or you can change the time context and save the search with the new time context. You might want to change the time context to monitor your search results more closely.
      For example, if you are troubleshooting for an authentication failure error by performing a certain search every week (Last 7 days), then you might want to run this search every 24 hours to monitor the error more closely. For this you need to save the search with a different time context (Last 24 hours).

      Note

      Saved searches with custom time context cannot be added to dashboards because such saved searches provide absolute results.

    • If you want the search query to be visible to all users irrespective of their access permissions, select the Make Public check box.

      Note

      By selecting the Make Public check box, you enable users to view the search query and run it irrespective of their access permissions, but they cannot access the data in the search results unless they have the appropriate permissions.

  4. Click Save.
    You can view the saved search by navigating to the Saved Searches tab.

Sharing a saved search

You can share a saved search with all users irrespective of their user roles. When you share a saved search, users can both view and run the search query. However, they can view the search results only if they have the appropriate permissions. They can also use the shared saved search to add dashlets and notifications.

To share a saved search

  1. Navigate to the Saved Searches tab.
  2. Select the saved search that you want to share, and click Modify Saved Search.
  3. Select the Make Public check box.

Note

Saved searches imported via a content pack are also treated as public saved searches.

As an app admin or super admin, you can also share saved searches with other users by exporting them in a content pack. However, note that only super admins have the capability of importing content packs.

Executing a saved search

  1. Navigate to the Saved Searches tab.
  2. Perform one of the following actions:
    • Click the name of the saved search that you want to execute.
    • Select the saved search that you want to execute and click Execute Search .

Tip

You can also execute a saved search by selecting a type-ahead search suggestion while typing the search string the search bar.

Modifying a saved search

Dashboards and notifications are based on saved searches. So you need to be careful while changing the search query, if there are dashboards (or notifications) associated with that search query. Dashboards use the saved search context, therefore any change to the time context can affect dashboards associated with the saved search.

Note

You cannot modify a saved search:

  • Shared by other users (by selecting the Make Public check box at the time of creating the saved search)
  • Imported via a content pack.

However, you can clone the saved search and then customize it as per your needs.

To modify details of a saved search

  1. Navigate to the Saved Searches tab.
  2. Select the saved search that you want to modify, and click Modify Saved Search .
  3. Modify one or more of the following details that you provided when you created the saved search:
    • Search Name: The name to identify the saved search.
    • Query String: The search query stored.
    • Description: Additional details provided when you created the saved search.
    • Time Context: The time context provided when you created the saved search.
    • Make Public: Select this check box to share the search query with all users irrespective of their access permissions.
  4. Click Update to save the new details.

Deleting a saved search

You can delete the saved search that you created. When you delete a saved search, the dashboards and notifications associated with the saved search are also deleted. If a notification contains multiple saved searches and if you delete one of the saved searches used in the notification, then that saved search is removed from the notification.

If you delete a public saved search, a private copy of the saved search is automatically created so that objects configured based on the deleted saved search continue to function. The private copy details are automatically updated in the dependent objects (for example, notifications and dashboards) and are also listed on the Saved Searches page. The user using the saved searches becomes the owner of the private copy. The private copy is named in the following ways based on the source of the public saved search:

  • Imported via a content pack: Based on this source, the private copy is named as "Copy of <SavedSearchName> from <ContentPackName>".
  • Created by you: Based on this source, the private copy is named as "Copy of <SavedSearchName>".

Note

You cannot delete public saved searches shared by other users.

To delete a saved search

  1. Navigate to the Saved Searches tab.
  2. Select the saved search that you want to delete, and click Delete Saved Search .
  3. Click Yes to confirm your action.

Cloning a saved search

You can make a copy of a saved search, modify details if needed, and save it.

To clone a saved search

  1. Navigate to the Saved Searches tab.
  2. Select the saved search that you want to clone, and click Clone Saved Search .
  3. In the Search Name box, provide a name to identify the cloned saved search.
  4. If needed, modify other details such as the query string, the description, and the time context that you provided earlier when you saved that search.
  5. Click Save.

Adding a dashlet

You can use one of the saved searches to create a dashlet on the Dashboards tab for a graphic representation of the search results data.

To add a dashlet from the Saved Searches tab

  1. Navigate to the Saved Searches tab.
  2. Select the saved search that you want to add to the dashboard page, and click Add to Dashboard .

    Note

    You cannot add a saved search to a dashboard in the following scenarios:

    • If the saved search has a custom time context because this type of saved search provides absolute results.
    • If the saved search contains a search query that uses the stats search command command without the group by parameter. Creating a dashlet for such a query does not provide meaningful representation of data.
      For example, in the following search query, there is no field specified to group the search results.
      * | stats count(HOST)
  3. On the Add to Dashboard dialog box, provide the following details:
    • Summarization Field: Select the field name by which you want to summarize your search results data in the dashlet.
      You can select from a list of fields which are available on the Filters panel on the Search tab and all the tags which are available in the system. You can add more fields to this list by adding more fields to the Fields section, on the Filters panel. If the saved search contains a search query that returns tabular output (for example timechart search command, stats search command commands), then the fields displayed in the list are derived from the tabular data.
    • Chart Type: Select one of the following chart types to summarize your search results:

      Chart typePreview
      Bar

      Column
      Doughnut
      Line
      Pie

      Note

      The pie and doughnut charts are not supported for saved searches that return tabular output. For example, timechart search command command.

    • Dashboard: Select one of the existing dashboard pages to add the search results data to that dashboard page. If you want to add the search results data to a new dashboard page, then create the new dashboard page by selecting Create new and provide a name for the dashboard in the Dashboard box.
    • Dashlet Name: Provide a title for the summarization chart that you want to add in the dashlet.
    • On the Location grid, click the box in which your search results are to be displayed.
      If a dashlet is already plotted on one of the four boxes, then the dashlet name appears on that box.
    • Click Add.
      You can see the saved search details summarized in the form of a chart on the Dashboards tab (on the specified dashboard page).

You can also create dashboards from the Dashboards tab. For more information, see Creating and managing dashboards.

Icons and associated functions on the Saved Searches tab

The Saved Searches tab allows you to view, manage, and search saved searches.

You can perform the following actions on the Saved Searches tab.

ActionIconDescription
Execute Search

Execute the saved search.

View Saved Search

View details of the selected saved search.

You can see details such as the name, search query, description, and time context of the saved search. Additionally, you can see whether the saved search is public or not.

Modify Saved Search

Edit the selected saved search details.

For more information, see Modifying a saved search.

Delete Saved Search

Delete the selected saved search.

For more information, see Deleting a saved search.

Clone Saved Search

Make a copy of the selected saved search.

For more information, see Cloning a saved search.

Add to Dashboard

Use the saved search to create a dashlet on a dashboard.

For more information, see Adding a saved search to the dashboard.

Create Notification

Use the saved search to create a notification.

Notes: You cannot create a notification for a saved search in the following scenarios:

  • If the saved search is created for a custom time context. This is because such saved searches are run for a fixed duration and therefore are not relevant for adding notifications.
  • If the saved search contains a search query that returns tabular output. For example, timechart search command and stats search command command.
List Notifications and Dashlets

List the notifications and dashlets in which the existing saved searches are employed.

Search

In the search bar, at the top-right side of your screen, you can filter saved searches in the following ways:

  • Saved search name
  • Source
  • Search string

The Saved Searches tab provides the following information:

Field

Description

Name

Name of the saved search configured.

Source

Source can be one of the following:

  • Content pack name: If the saved search was imported via a content pack.
  • User name: If the saved search is not created by you, but shared by another user (public saved search).

If the saved search is created by you, then a hyphen (-) is displayed.

Note: Saved searches imported via a content pack are treated as public saved searches.

Search String
Search query included in the saved search.
Time Range

Time range of the search query included in the saved search.

PublicDisplays whether the saved search is public or not, this means whether it is accessible by all users or not.

Where to go from here

View summarization charts added to the dashboard and detect data trends, correlations, or irregularities. For more information, see Creating and managing dashboards.

Create notifications to monitor irregularities and raise alerts or log events. For more information, see Setting up notifications to create alerts or reports.



Was this page helpful? Yes No Submitting... Thank you

Comments