Alerting

6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

sbrice36
Explorer

I am having an issue with saved searches and alerts after my 6.2.1 upgrade. The upgrade appears to be successful and everyone can navigate fine. However, it was just reported that saved searches and alerts are no longer present. I have a clustered environment with my main server running "deployment server/search head/license server/forwarder" I then have 6 remote forwarders and 2 indexers. Everything is reporting fine on phone home. I need to get my saved searches back and saved alerts. I know there is a savedsearches.conf, when I compared the two, they appear to be exact. Is there anything else I need to re-enable or refresh after an upgrade?

0 Karma
1 Solution

sbrice36
Explorer

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

View solution in original post

0 Karma

sbrice36
Explorer

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

0 Karma

somesoni2
Revered Legend

check the metadata entries are still intact for saved searches (etc/apps//metadata/local.meta)

0 Karma

sbrice36
Explorer

Thank you, taking a look now!

0 Karma

sbrice36
Explorer

/search-head/etc/apps/search/metadata "default.meta" On the backup directory it's 5660 in size, permissions set to -rw-rw-r-- .On the upgrade directory its 5701 in size, and permissions are -r--r--r--

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...