Saving and sharing searches for analytics and monitoring
If you find that you must repeatedly perform a particular search, you can save it for future use from the Search tab. You can also use saved searches to monitor data trends with the help of dashboards and notifications that are triggered depending on the threshold set. Saved searches are the building blocks for creating dashboards and notifications.
You can view, manage, and search for saved searches by using the Saved Searches tab.
This topic contains the following information:
Saving a search
You can save a search (query) to run again in the future.
To save a search
- Navigate to the Search tab and perform a search by providing a search criteria in the search bar.
- On the top-right side of your screen, click Save Search
. - In the Save Search dialog box, enter the following details:
Name: Provide a name to identify the saved search.
- Description: Provide any additional information that you want to add about the saved search.
Time Context: The time context of the search that you performed is automatically displayed. To save the search with the same time context, you can leave this selection unchanged or you can change the time context and save the search with the new time context. You might want to change the time context to monitor your search results more closely.
For example, if you are troubleshooting for an authentication failure error by performing a certain search every week (Last 7 days), then you might want to run this search every 24 hours to monitor the error more closely. For this you need to save the search with a different time context (Last 24 hours).If you want the search query to be visible to all users irrespective of their access permissions, select the Make Public check box.
- Click Save.
You can view the saved search by navigating to the Saved Searches tab.
Sharing a saved search
You can share a saved search with all users irrespective of their user roles. When you share a saved search, users can both view and run the search query. However, they can view the search results only if they have the appropriate permissions. They can also use the shared saved search to add dashlets and notifications.
To share a saved search
- Navigate to the Saved Searches tab.
- Select the saved search that you want to share, and click Modify Saved Search
. - Select the Make Public check box.
Executing a saved search
- Navigate to the Saved Searches tab.
- Perform one of the following actions:
- Click the name of the saved search that you want to execute.
- Select the saved search that you want to execute and click Execute Search
.
Modifying a saved search
Dashboards and notifications are based on saved searches. So you need to be careful while changing the search query, if there are dashboards (or notifications) associated with that search query. Dashboards use the saved search context, therefore any change to the time context can affect dashboards associated with the saved search.
To modify details of a saved search
- Navigate to the Saved Searches tab.
- Select the saved search that you want to modify, and click Modify Saved Search .
- Modify one or more of the following details that you provided when you created the saved search:
- Search Name: The name to identify the saved search.
- Query String: The search query stored.
- Description: Additional details provided when you created the saved search.
- Time Context: The time context provided when you created the saved search.
- Make Public: Select this check box to share the search query with all users irrespective of their access permissions.
- Click Update to save the new details.
Deleting a saved search
You can delete the saved search that you created. When you delete a saved search, the dashboards and notifications associated with the saved search are also deleted. If a notification contains multiple saved searches and if you delete one of the saved searches used in the notification, then that saved search is removed from the notification.
If you delete a public saved search, a private copy of the saved search is automatically created so that objects configured based on the deleted saved search continue to function. The private copy details are automatically updated in the dependent objects (for example, notifications and dashboards) and are also listed on the Saved Searches page. The user using the saved searches becomes the owner of the private copy. The private copy is named in the following ways based on the source of the public saved search:
- Imported via a content pack: Based on this source, the private copy is named as "Copy of <SavedSearchName> from <ContentPackName>".
- Created by you: Based on this source, the private copy is named as "Copy of <SavedSearchName>".
To delete a saved search
- Navigate to the Saved Searches tab.
- Select the saved search that you want to delete, and click Delete Saved Search
. - Click Yes to confirm your action.
Cloning a saved search
You can make a copy of a saved search, modify details if needed, and save it.
To clone a saved search
- Navigate to the Saved Searches tab.
- Select the saved search that you want to clone, and click Clone Saved Search
. - In the Search Name box, provide a name to identify the cloned saved search.
- If needed, modify other details such as the query string, the description, and the time context that you provided earlier when you saved that search.
- Click Save.
Adding a dashlet
You can use one of the saved searches to create a dashlet on the Dashboards tab for a graphic representation of the search results data.
To add a dashlet from the Saved Searches tab
- Navigate to the Saved Searches tab.
Select the saved search that you want to add to the dashboard page, and click Add to Dashboard
.- On the Add to Dashboard dialog box, provide the following details:
- Summarization Field: Select the field name by which you want to summarize your search results data in the dashlet.
You can select from a list of fields which are available on the Filters panel on the Search tab and all the tags which are available in the system. You can add more fields to this list by adding more fields to the Fields section, on the Filters panel. If the saved search contains a search query that returns tabular output (for example timechart-search-command, stats-search-command commands), then the fields displayed in the list are derived from the tabular data. Chart Type: Select one of the following chart types to summarize your search results:
- Dashboard: Select one of the existing dashboard pages to add the search results data to that dashboard page. If you want to add the search results data to a new dashboard page, then create the new dashboard page by selecting Create new and provide a name for the dashboard in the Dashboard box.
- Dashlet Name: Provide a title for the summarization chart that you want to add in the dashlet.
- On the Location grid, click the box in which your search results are to be displayed.s
If a dashlet is already plotted on one of the four boxes, then the dashlet name appears on that box. - Click Add.
You can see the saved search details summarized in the form of a chart on the Dashboards tab (on the specified dashboard page).
- Summarization Field: Select the field name by which you want to summarize your search results data in the dashlet.
You can also create dashboards from the Dashboards tab. For more information, see Creating-and-managing-dashboards.
Icons and associated functions on the Saved Searches tab
The Saved Searches tab allows you to view, manage, and search saved searches.
You can perform the following actions on the Saved Searches tab.
The Saved Searches tab provides the following information:
Where to go from here
View summarization charts added to the dashboard and detect data trends, correlations, or irregularities. For more information, see Creating-and-managing-dashboards.
Create notifications to monitor irregularities and raise alerts or log events. For more information, see Setting-up-notifications-to-create-alerts-or-reports.