• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.0

    Page tree

    If you find that you must repeatedly perform a particular search, you can save it for future use from the Search tab. You can also use saved searches to monitor data trends with the help of views and set notifications that are triggered depending on the threshold set.

    You can view, manage, and search for saved searches by using the Cabinet > Saved Searches tab.

    This topic contains the following information:

    Saving a search

    You can save a search (query) to run again in the future.

    To save a search

    1. Navigate to the Search tab and perform a search by providing a search criteria in the search bar.
    2. Perform one of the following actions:
      • To save the current search query that you executed, on the top-right side of your screen, click Save Search .
      • To save one of the search queries that appears in the Workspaces panel, select the search query and click Save Search.
    3. In the Save Search dialog box, enter the following details:
      • Name: Provide a name to identify the saved search.
      • Description: Provide any additional information that you want to add about the saved search.

      • Time Context: The time context of the search that you performed is automatically displayed. To save the search with the same time context, you can leave this selection unchanged or you can change the time context and save the search with the new time context. You might want to change the time context to monitor your search results more closely.
        For example, if you are troubleshooting for an authentication failure error by performing a certain search every week (Last 7 days), then you might want to run this search every 24 hours to monitor the error more closely. For this you need to save the search with a different time context (Last 24 hours).

        Note

        Saved searches with custom time context cannot be added to views because such saved searches provide absolute results.

      • If you want the search query to be visible to all users irrespective of their access permissions, select the Make Public check box.

        Note

        By selecting the Make Public check box, you enable users to view the search query and run it irrespective of their access permissions, but they cannot access the data in the search results unless they have the appropriate permissions.

    4. Click Save.
      You can view the saved search by navigating to Cabinet > Saved Searches.

    Sharing a saved search

    You can share a saved search with all users irrespective of their user roles. When you share a saved search, users can both view and run the search query. However, they can view the search results only if they have the appropriate permissions.

    To share a saved search

    1. Navigate to Cabinet > Saved Searches.
    2. Select the saved search that you want to share, and click Modify Saved Search .

    3. Select the Make Public check box.

    Executing a saved search

    1. Navigate to Cabinet > Saved Searches.
    2. Perform one of the following actions:
      • Click the name of the saved search that you want to execute.
      • Select the saved search that you want to execute and click Execute Search .

    Modifying a saved search

    Views and notifications are based on saved searches. So you need to be careful while changing the search query, if there are views (or notifications) associated with that search query. Views use the saved search context, therefore any change to the time context can affect views associated with the saved search.

    Note

    You cannot modify a saved search:

    • Shared by other users (by using the Make Public check box at the time of creating the saved search)
    • Imported using a content pack

    To modify details of a saved search

    1. Navigate to Cabinet > Saved Searches.
    2. Select the saved search that you want to modify, and click Modify Saved Search .
    3. Modify one or more of the following details that you provided when you created the saved search:
      • Search Name: The name to identify the saved search.
      • Query String: The search query stored.
      • Description: Additional details provided when you created the saved search.
      • Time Context: The time context provided when you created the saved search.
      • Make Public: Select this check box to share the search query with all users irrespective of their access permissions.
    4. Click Update to save the new details.

    Deleting a saved search

    You can delete the saved search that you created. When you delete a saved search, the views and notifications associated with the saved search are also deleted.

    Note

    You cannot delete a saved search shared by others.

    To delete a saved search

    1. Navigate to Cabinet > Saved Searches.
    2. Select the saved search that you want to delete, and click Delete Saved Search .
    3. Click Yes to confirm your action.

    Cloning a saved search

    You can make a copy of a saved search, modify details if needed, and save it.

    Note

    If you want to add a view or a notification using a saved search marked as public, then you must first clone it.

    To clone a saved search

    1. Navigate to Cabinet > Saved Searches.
    2. Select the saved search that you want to clone, and click Clone Saved Search .
    3. In the Search Name box, provide a name to identify the cloned saved search.
    4. If needed, modify other details such as the query string, the description, and the time context that you provided earlier when you saved that search.
    5. Click Save.

    Adding a saved search to the view

    You can add a saved search to the view for a graphic representation of the search results data.

    To add a saved search to the view

    1. Navigate to Cabinet > Saved Searches.

    2. Select the saved search that you want to add to the view, and click Add to View .

      Note

      You cannot add a saved search to a view in the following scenarios:

      • If the saved search has a custom time context because this type of saved search provides absolute results.
      • If the saved search was shared by other users and not created by you.
      • If the saved search contains a search query that uses the stats command without the group by parameter. Creating a viewlet for such a query does not provide meaningful representation of data.
        For example, in the following search query, there is no field specified to group the search results.
        * | stats count(HOST)
    3. On the Add to View dialog box, provide the following details:
      • Summarization Field: Select the field name by which you want to summarize your search results data in the viewlet.
        This field displays a list of fields available in the Filter Pane on the Search tab and all the tags available in the system. You can add more fields to this list by adding them to the My Fields panel on the Search tab. If the saved search contains a search query that returns tabular output (for example timechart, stats commands), then the fields displayed in the list are derived from the tabular data.
      • Chart Type: Select one of the following options:
        • Bar: To view your search-results data as a bar chart.
        • Pie: To view your search-results data as a pie chart.
          (Not supported for saved searches that return tabular output. For example, timechart command).
      • View: Select one of the existing views (view pages) to add the search results data to that view. If you want to add the search results data to a new view, create the view by selecting Create new and providing a name for the view in the View box.
      • Viewlet Name: Provide a title for the summarization chart that you want to add in the viewlet.
      • On the Location grid, click the box in which your search results are to be displayed.
        If a viewlet is already plotted on one of the four boxes, then the viewlet name appears on that box.
      • Click Add.
        You can see the saved search details summarized in the form of a chart on the Views tab (on the specified view page).

    You can also create views from the Views tab. For more information, see Managing views.

    Creating a notification for the saved search

    1. Navigate to Cabinet > Saved Searches.

    2. Select the saved search for which you want to add a notification, and click Create Notification .

      For more information, see Adding a notification.

      Note

      You cannot create a notification for a saved search in the following scenarios:

      • If the saved search is created for a custom time context.
      • If the saved search was shared by other users and not created by you.
      • If the saved search contains a search query that returns tabular output. For example, timechart and stats command.

    Where to go from here

    View summarization charts added to the view and detect data trends, correlations, or irregularities. For more information, see Managing views.

    Create notifications to monitor irregularities and raise alerts or log events. For more information, see Managing notifications.

    Related topics

    Using the command line to create a saved search

    Using the command line to list saved searches

    Using the command line to get details of a saved search

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.