Solved: View saved search SPL without running the search

Tedesco1 · ‎05-14-2019

Hi all,

I have a few saved searches running on a schedule that I'm using to populate a summary index. My problem is that, in order to edit or view the SPL, I have to click "open in search"... which automatically executes the search at that time.

Then when I want to save them I have to run them again, otherwise the "save" button is disabled.

These searches contain the collect command, so I generally don't want to run them except for when I've scheduled them to run. Is there any way (other than the command line) to edit these saved searches in a way that doesn't force me to actually run the search?

vikramyadav · ‎05-14-2019

Yes, it is possible to view or edit your SPL query without running it.
Steps
1. Login into your server (Normally localhost:8000)
2. Go in "Setting".
3. And click on "Searches, reports, and alerts"
And Choose your SPL query name which you want to edit or view.

View solution in original post

vikramyadav · ‎05-14-2019

Yes, it is possible to view or edit your SPL query without running it.
Steps
1. Login into your server (Normally localhost:8000)
2. Go in "Setting".
3. And click on "Searches, reports, and alerts"
And Choose your SPL query name which you want to edit or view.

Tedesco1 · ‎05-14-2019

Thank you very much! I had no idea that was there.

vikramyadav · ‎05-15-2019

No Problem, I am happy that you got your answer.

View saved search SPL without running the search

Using Machine Learning for Hunting Security Threats

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

How I Instrumented a Rust Application Without Knowing Rust