Alerting
Highlighted

6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

Explorer

I am having an issue with saved searches and alerts after my 6.2.1 upgrade. The upgrade appears to be successful and everyone can navigate fine. However, it was just reported that saved searches and alerts are no longer present. I have a clustered environment with my main server running "deployment server/search head/license server/forwarder" I then have 6 remote forwarders and 2 indexers. Everything is reporting fine on phone home. I need to get my saved searches back and saved alerts. I know there is a savedsearches.conf, when I compared the two, they appear to be exact. Is there anything else I need to re-enable or refresh after an upgrade?

0 Karma
Highlighted

Re: 6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

SplunkTrust
SplunkTrust

check the metadata entries are still intact for saved searches (etc/apps//metadata/local.meta)

0 Karma
Highlighted

Re: 6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

Explorer

Thank you, taking a look now!

0 Karma
Highlighted

Re: 6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

Explorer

/search-head/etc/apps/search/metadata "default.meta" On the backup directory it's 5660 in size, permissions set to -rw-rw-r-- .On the upgrade directory its 5701 in size, and permissions are -r--r--r--

0 Karma
Highlighted

Re: 6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

Explorer

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

View solution in original post

0 Karma