All Apps and Add-ons

unable to find a saved search asset_discovery


Hi everyone,

I've been playing around with the Splunk Asset Discovery app. I think it will be of use to our organisation, but having some issues.

My environment looks like this, 3 separate systems:
2x Splunk indexers
1x Search head.

Each system has the asset discovery app install. Indexers are the ones actually running the nmap scripts.

On our search head I am getting these warnings. Warnings come up no matter what you are doing (even regular searches). It is very annoying:

  • [indexer1] Unable to find a saved search asset_discovery
  • [indexer2] Unable to find a saved search asset_discovery

The app is working correctly on the search head. Data/graphs/etc all functioning. It is just this warning message

Anyone have any ideas? or know of a way to just disable the warning?

0 Karma

Splunk Employee
Splunk Employee

Hi Chris

The root cause here is that in the app "asset_discovery" , the eventtype in this case is referencing a savedsearch. But in a distributed search setting, splunk doesn't replicate savedsearches.conf from the search-head to the peers.

The problem is that the app is not using a conventional definition for the eventtypes. that is not supported.

Workarounds :

  • install the app in the search-peers
  • change the bundle replication whitelist to add the savedsearches.conf ( will be more costly for all your apps / searches )
  • ask the author of the app to update his app to be compatible with distributed search.
  • wait for an enhancement in splunk to allow this.


thanks for the response. I've got the app installed in the search peers. i'm thinking maybe i remove from the search peers (indexers). run the app on a heavy forwarder and have this push/tag events into the indexer cluster.

i've removed from the search head for the time being, so the annoying messages are gone.

whats weird is that everything is functioning correctly. the app works really well. it is just that yellow warning message.

0 Karma


in the savedsearches.conf there are :

# Base Search
search = index=asset_discovery
is_visible = false

And in eventtypes.conf :

# eventtypes.conf

search = savedsearch=asset_discovery sourcetype=ping_scan "Host:" "Status:"

search = savedsearch=asset_discovery sourcetype=port_scan "Host:" "Ports:" "Ignored State:"

Do you have those? And do you see config error when you start splunk from command line?


I haven't tried only having the app on the search head. I'd prefer to have our indexers doing the heavy lifting (running scans).

nothing stands out on the search "index=_internal asset_discovery"

0 Karma


have dig into internal index (index=_internal asset_discovery)?
Have you try by only putting the app on the search head?

0 Karma


the savedsearches.conf and eventtypes.conf are present and correct for all systems (search head and indexers).

I tested restarting splunk on command line and there was no config errors. ran btool as well.

Also checked permissions on the asset_discovery saved searches on the indexers, currently set to global and everyone has permissions to read results.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...