# Saved Searches Saved Searches store your queries so you don't need to rebuild them each time. You can attach notification targets (email, Slack, PagerDuty, webhook) to a saved search and receive alerts whenever new matching records appear. You can also enable SIEM Forwarding to route matching events to your SIEM. ## Create a saved search The Saved Searches panel is accessible from **Search** in the side panel. ### Example: monitor new cron jobs 1. **Run a query** — Enter a query, such as `metadata.name ~= "*"` for cron jobs. Click **Search** to confirm it returns results.

Search bar with a cron job query entered — Run the query to verify it returns results before saving.

2. **Save the query** — Click **Save Search**.

Save Search button in the search toolbar — Click Save Search to open the saved search configuration dialog.

3. **Configure notifications** — In the dialog that appears: * Edit the auto-generated name if needed (e.g., "New Cron Jobs"). * Add an optional description. * Toggle **Notification Status** to enabled if you want alerts immediately. * Click **Add Target** to configure notification channels. You can add multiple targets.

Saved search configuration dialog showing name, description, and notification status fields — Configure the name, description, and notification status for the saved search.

Supported notification channels: Email, Slack, PagerDuty, Webhook.

Notification target type selection showing Email, Slack, PagerDuty, and Webhook options — Select a notification channel and configure its destination.

4. **Save** — Click **Save** to finish. After saving, you can manage the query from the Saved Searches page: edit the query, run it manually, toggle it on or off, or delete it. *** ## SIEM Forwarding Beyond notifications, saved searches can also forward matching events to your SIEM. Enable the **SIEM Forwarding** toggle in **Additional Settings** when editing a saved search — this requires the `org:ManageSiemForwarding` permission. Once enabled, Spyderbat routes records matching the query to the SIEM forwarding API, where the Event Forwarder picks them up and delivers them to your destination. Changes take effect immediately for new matching records — forwarding is not applied retroactively to records that existed before you enabled it. See [SIEM Forwarding](https://docs.spyderbat.com/concepts/integrations/siem-forwarding) for the full setup guide. *** ## Manage saved searches with spyctl The spyctl CLI uses `saved-query` as the resource name (for example, `spyctl get saved-queries`). This refers to the same thing as a saved search in the console UI — the terms are interchangeable. ### Retrieve saved searches ```bash spyctl get saved-queries ``` ### Create a saved search ```bash spyctl create saved-query --help ``` ``` Options: -o, --output [yaml|json|ndjson|default] -a, --apply Apply the saved query during creation. -n, --name TEXT The name of the saved query. -q, --query TEXT The query to be saved. -d, --description TEXT A description of the saved query. -s, --schema TEXT The schema of the saved query. -y, --yes Automatically answer yes to all prompts. Usage: spyctl create saved-query [OPTIONS] ``` Example: ```bash spyctl create saved-query \ -n "Monitor Deployment with Replicas more than 5" \ -q "spec.replicas > 5" \ -s "Deployment" ``` To list all available schemas: ```bash spyctl search --list-schemas ``` ### Edit a saved search ```bash spyctl edit saved-query ``` Replace `` with the ID or name of the saved search you want to edit. After editing the YAML and applying the change, you'll see a confirmation: `Successfully edited Saved Query 'query:id'`.