Whether you are running ad hoc searches during a forensic investigation or running standard searches for health checks, you can save any search to run again later.
When you create a search that you would like to reuse, you can save it, and it will be stored in the Library. From there you can run it again, publish it to share with others in your organization, edit the search, or create a Scheduled Search to run at a regularly scheduled time, and even set up alerts. You can also share a search via a link.
The saved search will also include any charts you have created in the Aggregates tab.
To save a search:
- Run a search query you'd like to save.
- (Optional) After the search results are complete, in the Aggregates tab, select a chart type to display the data visually.
- Click Save As below the search field.
- In the Save Search As dialog, for Name, enter a name for your Saved Search.
- (Optional) If you'd like, type a description to help you identify this search.
- The search query populates automatically in the Search field. You can make changes to the search syntax or query details if you need to.
- Choose a Time Range option that will be the default range when you run the saved search.
- Select Use Receipt Time to run the search by receipt time by default.
- Select the Location to save to in the Library where you would like to save your search.
- Click Save.
To add a schedule to the saved search to run periodically with an optional alert, see Schedule a Search.