Solved: Splitting huge savedsearches.conf file into multip...

xeyer10891 · ‎02-06-2023

Hello team !

After unsuccessful research on the Internet / Splunk doc, I am turning to you for my question:
- Let's say I have 50 alerts in a single app, that are all stored in my file $SPLUNK_HOME$/etc/apps/<appname>/default/savedsearches.conf.

- For version control / code management, I want to split this single savedsearches.conf into multiples savedsearches.conf files so that developers can work with a folder directory looking like this:
| default |
| - | alerts |
| - | - | category_1_alerts |
| - | - | category_1_alerts | savedsearches.conf
| - | - | category_2_alerts |
| - | - | category_2_alerts | savedsearches.conf
...

- I tried without success on my Splunk instance. I don't know if it is possible, and if it this, I don't know if there are some statements to make in code (e.g. #include <filename>)

Have a nice day 🙂

PS : In my version control / code management tool, I can always resort to concatenating all my files together when packaging Splunk code if I don't manage to find a better answer.

gcusello · ‎02-06-2023

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-06-2023

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe

xeyer10891 · ‎02-06-2023

Thanks a lot!

gcusello · ‎02-06-2023

Hi @xeyer10891,

see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Splitting huge savedsearches.conf file into multiple files

other

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?