Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • What are Saved Searches?
  • How to Use Saved Searches in Console
  • Managing Saved Searches with Spyctl

Was this helpful?

Export as PDF
  1. Concepts
  2. Search

Saved Searches

Last updated 4 months ago

Was this helpful?

What are Saved Searches?

Saved Searches in Spyderbat provide a convenient way to store your Search queries in one place, eliminating the need to reconstruct them each time. They also allow you to set up notifications via Email, Slack, PagerDuty, or Webhooks, ensuring you're notified with full context whenever the search criteria are met.

How to Use Saved Searches in Console

The Saved Searches page can be accessed from the "Search" section in the side panel. Saved Searches are incredibly simple to use. Here's a quick example to get you started in 4 steps.

Example Use Case: Monitoring new Cronjobs

  1. Run a Query

    • Enter your desired query for Cronjobs, such as metadata.name ~= "*". Saved Searches eliminate the need to repeatedly construct this query.

    • Use the "Search" button to ensure it works as expected.

    • Running the query retrieves historical data based on past records, which may return matching records or no results if none are found.

  2. Save the Query

    • Click the Save Search button.

  3. Set Up Notifications

    • Once you save a search, a prompt like the one shown in the image will appear.

    • A default Name is generated, you could also provide a custom name for the Saved Search (e.g., "New Cronjobs Monitoring").

    • Add an optional Description to clarify the query’s purpose.

    • Toggle the Notification Status to "Enabled" if desired immediately. You can also turn this off anytime to stop receiving notifications.

    • Click Add Target to configure your preferred notification channels. You can add multiple targets per query.

    • Note that notifications are sent to the targets when new records matching the query are observed in real time.

    • Configure notifications to be sent through various channels, such as: Email, Slack, PagerDuty, Webhook.

  4. Save the Configuration

    • Once all settings are configured, click Save.

After creating a saved search, you can view and manage it on the Saved Searches page. There, you can edit the conditions, run the query, enable or disable it, or delete it as needed.


Managing Saved Searches with Spyctl

Overview

Spyderbat's Spyctl offers a command-line interface to create, retrieve, and edit Saved Searches efficiently. This document provides a detailed guide on how to perform these actions.


Retrieving Saved Searches

To retrieve all existing Saved Searches, use the following command:

$ spyctl get saved-queries

This command lists all Saved Searches currently available in your environment.


Creating a Saved Search

The spyctl create saved-query command allows you to define and save a new query. To see all available options, use:

$ spyctl create saved-query --help

Options:
  -o, --output [yaml|json|ndjson|default]
  -a, --apply                     Apply the saved query during creation.
  -n, --name TEXT                 The name of the saved query.
  -q, --query TEXT                The query to be saved.
  -d, --description TEXT          A description of the saved query.
  -s, --schema TEXT               The schema of the saved query.
  -y, --yes                       Automatically answer yes to all prompts.

Usage:
  spyctl create saved-query [OPTIONS]

Example Command Usage:

   $ spyctl create saved-query \
     -n "Monitor Deployment with Replicas more than 5" \
     -q "spec.replicas > 5" \
     -s "Deployment"

Note that $spyctl search --list-schemas command provides a list of all available schemas, helping you identify which Schemas that are accessible for querying.


Editing a Saved Search

To edit an existing Saved Search, use the spyctl edit saved-query command. You need to provide the query ID or name as an argument.

$ spyctl edit saved-query <NAME_OR_ID>

Replace <NAME_OR_ID> with the actual ID or name of the Saved Search you want to edit.

You should get "Successfully edited Saved Query 'query:id'"* after editing the YAML and applying the change.