Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to copy savedsearches.conf from an old Splunk app to a recent one (newest Splunk version)?

skender27
Contributor
‎09-15-2016 06:21 AM

Hi,

The requirement is to have the same dashboard (lots of href links to searches in Splunk organized in blockes) when building up a new Splunk distributed platform.

I am thinking to reuse the same savedsearches.conf (a large one made in html) from a Splunk 5.0.9 to a recent version and so copying it under the same app local folder...
What issues should I consider (except removing the vsid row from each search saved)?

Thanks a lot,
Skender

0 Karma
Reply

somesoni2
Revered Legend
‎09-15-2016 07:49 AM

You would need to copy the savedsearches.conf and corresponding local.meta entries (yourApp/metadata folder). The local.meta would define the permissions and scope (visibility) for the searches (required).

Reply

skender27
Contributor
‎10-10-2016 01:55 AM

Unfortunatelly no (should I override the existing folder?).

In fact, it is unnecessary now because some of them are obsolete . Well in this case I think I have to re-create all the searches which feed the href links of the dashboard.

I will let you know,
Skender

0 Karma
Reply

skender27
Contributor
‎10-05-2016 08:35 AM

Hi,

I tried deleting the vsid attributes from the copied savedsearches.conf, but still i couldn't get the old searches.
Probably because of different Splunk versions: the old one was a Enterprise 5.0.8 and the new one was a 6.4.
Could it be the reason?

Skender

0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 09:10 AM

And did you copy the .meta entries as well?

0 Karma
Reply

skender27
Contributor
‎09-15-2016 08:00 AM

Sure, I will try next week and I'll share how this behaves.

Thanks a lot,
Skender

0 Karma
Reply

skender27
Contributor
‎09-15-2016 06:36 AM

Precision: "a large one made in html" I mean the dashboard, not the .conf file.

Skender

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎09-15-2016 06:36 AM

Yes, Should be perfectly fine. Give it a try and let me know the results.

Reply

skender27
Contributor
‎09-15-2016 08:02 AM

I can try this only the next week...
I will share all the results about this issue.

Thanks,
Skender

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...