Reporting

View saved search SPL without running the search

Tedesco1
Path Finder

Hi all,

I have a few saved searches running on a schedule that I'm using to populate a summary index. My problem is that, in order to edit or view the SPL, I have to click "open in search"... which automatically executes the search at that time.

Then when I want to save them I have to run them again, otherwise the "save" button is disabled.

These searches contain the collect command, so I generally don't want to run them except for when I've scheduled them to run. Is there any way (other than the command line) to edit these saved searches in a way that doesn't force me to actually run the search?

Tags (1)
0 Karma
1 Solution

vikramyadav
Contributor

Yes, it is possible to view or edit your SPL query without running it.
Steps
1. Login into your server (Normally localhost:8000)
2. Go in "Setting".
3. And click on "Searches, reports, and alerts"
And Choose your SPL query name which you want to edit or view.

View solution in original post

vikramyadav
Contributor

Yes, it is possible to view or edit your SPL query without running it.
Steps
1. Login into your server (Normally localhost:8000)
2. Go in "Setting".
3. And click on "Searches, reports, and alerts"
And Choose your SPL query name which you want to edit or view.

Tedesco1
Path Finder

Thank you very much! I had no idea that was there.

0 Karma

vikramyadav
Contributor

No Problem, I am happy that you got your answer.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...