logstash doesn't currently support saved queries (if you mean letting you save queries you like for later, easy recall), but I'm open to all feature suggestions.
I'm not going to have any time for the next few weeks to try it out but I'm really interested in using this as an open source alternative to logrhythm or arcsight for forensics, incident response and intrusion detection.
Believe me, if you can pull this off you will have a massively disruptive tool on your hands.
File a request, or email the list: - http://code.google.com/p/logstash/issues/list - logstash-users@googlegroups.com
I'll know what to work on (besides my own priorities) based on requests/feedback :)