Hello. I had to move my entire old Splunk directory to a new filesystem for archiving as it was pretty hosed. Did a reinstall back to /opt/splunk and have just been setting it all up again. I created some pretty specific alerts previously that I would like to see if I can just copy over from the old instance. Does anyone know where those are stored?
Alerts are basically saved searches that executes an actions, so just look for savedsearches.conf files in $Splunk_home/etc/apps/<appname>/local, $Splunk_home/etc/apps/<appname>/default and $Splunk_home/etc/users/<username>/<appname>/local
Awesome. Looking through them (there were like 10 instances of that file), I found the ones I needed. I just copied $OldSPlunk/etc/users/admin/search/local/savedsearches.conf to #Splunk_home/etc/users/admin/search/local/savedsearches.conf and it worked like a charm! Thanks a lot somesoni2!
