Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting huge savedsearches.conf file into multiple files

xeyer10891
Engager
‎02-06-2023 05:28 AM

Hello team !

After unsuccessful research on the Internet / Splunk doc, I am turning to you for my question:
- Let's say I have 50 alerts in a single app, that are all stored in my file $SPLUNK_HOME$/etc/apps/<appname>/default/savedsearches.conf.

- For version control / code management, I want to split this single savedsearches.conf into multiples savedsearches.conf files so that developers can work with a folder directory looking like this:
| default |
| - | alerts |
| - | - | category_1_alerts |
| - | - | category_1_alerts | savedsearches.conf
| - | - | category_2_alerts |
| - | - | category_2_alerts | savedsearches.conf
...

- I tried without success on my Splunk instance. I don't know if it is possible, and if it this, I don't know if there are some statements to make in code (e.g. #include <filename>)

Have a nice day 🙂

PS :  In my version control / code management tool, I can always resort to concatenating all my files together when packaging Splunk code if I don't manage to find a better answer.

Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 05:32 AM

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 05:32 AM

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe 

Reply
Solved! Jump to solution

xeyer10891
Engager
‎02-06-2023 05:49 AM

Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 05:50 AM

Hi @xeyer10891,

see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...