Saved Searches

Store and reuse search queries in Spyderbat. Enable notifications and SIEM forwarding on saved queries to automate alerting and event delivery.

Saved Searches store your queries so you don't need to rebuild them each time. You can attach notification targets (email, Slack, PagerDuty, webhook) to a saved search and receive alerts whenever new matching records appear. You can also enable SIEM Forwarding to route matching events to your SIEM.

Create a saved search

The Saved Searches panel is accessible from Search in the side panel.

Example: monitor new cron jobs

Run a query — Enter a query, such as metadata.name ~= "*" for cron jobs. Click Search to confirm it returns results.
Run the query to verify it returns results before saving.
Save the query — Click Save Search.
Click Save Search to open the saved search configuration dialog.
Configure notifications — In the dialog that appears:
- Edit the auto-generated name if needed (e.g., "New Cron Jobs").
- Add an optional description.
- Toggle Notification Status to enabled if you want alerts immediately.
- Click Add Target to configure notification channels. You can add multiple targets.
Configure the name, description, and notification status for the saved search.
Supported notification channels: Email, Slack, PagerDuty, Webhook.
Select a notification channel and configure its destination.
Save — Click Save to finish.

After saving, you can manage the query from the Saved Searches page: edit the query, run it manually, toggle it on or off, or delete it.

SIEM Forwarding

Beyond notifications, saved searches can also forward matching events to your SIEM. Enable the SIEM Forwarding toggle in Additional Settings when editing a saved search — this requires the org:ManageSiemForwarding permission. Once enabled, Spyderbat routes records matching the query to the SIEM forwarding API, where the Event Forwarder picks them up and delivers them to your destination. Changes take effect immediately for new matching records — forwarding is not applied retroactively to records that existed before you enabled it.

See SIEM Forwarding for the full setup guide.

Manage saved searches with spyctl

The spyctl CLI uses saved-query as the resource name (for example, spyctl get saved-queries). This refers to the same thing as a saved search in the console UI — the terms are interchangeable.

Retrieve saved searches

spyctl get saved-queries

Create a saved search

spyctl create saved-query --help

Options:
  -o, --output [yaml|json|ndjson|default]
  -a, --apply                     Apply the saved query during creation.
  -n, --name TEXT                 The name of the saved query.
  -q, --query TEXT                The query to be saved.
  -d, --description TEXT          A description of the saved query.
  -s, --schema TEXT               The schema of the saved query.
  -y, --yes                       Automatically answer yes to all prompts.

Usage:
  spyctl create saved-query [OPTIONS]

Example:

spyctl create saved-query \
  -n "Monitor Deployment with Replicas more than 5" \
  -q "spec.replicas > 5" \
  -s "Deployment"

To list all available schemas:

spyctl search --list-schemas

Edit a saved search

spyctl edit saved-query <NAME_OR_ID>

Replace <NAME_OR_ID> with the ID or name of the saved search you want to edit. After editing the YAML and applying the change, you'll see a confirmation: Successfully edited Saved Query 'query:id'.

Last updated 1 hour ago

Was this helpful?

hashtagCreate a saved search

hashtagExample: monitor new cron jobs

hashtagSIEM Forwarding

hashtagManage saved searches with spyctl

hashtagRetrieve saved searches

hashtagCreate a saved search

hashtagEdit a saved search

Create a saved search

Example: monitor new cron jobs

SIEM Forwarding

Manage saved searches with spyctl

Retrieve saved searches

Create a saved search

Edit a saved search