Solved: Re: Splitting huge savedsearches.conf file into mu...

xeyer10891 · ‎02-06-2023

Hello team !

After unsuccessful research on the Internet / Splunk doc, I am turning to you for my question:
- Let's say I have 50 alerts in a single app, that are all stored in my file $SPLUNK_HOME$/etc/apps/<appname>/default/savedsearches.conf.

- For version control / code management, I want to split this single savedsearches.conf into multiples savedsearches.conf files so that developers can work with a folder directory looking like this:
| default |
| - | alerts |
| - | - | category_1_alerts |
| - | - | category_1_alerts | savedsearches.conf
| - | - | category_2_alerts |
| - | - | category_2_alerts | savedsearches.conf
...

- I tried without success on my Splunk instance. I don't know if it is possible, and if it this, I don't know if there are some statements to make in code (e.g. #include <filename>)

Have a nice day 🙂

PS : In my version control / code management tool, I can always resort to concatenating all my files together when packaging Splunk code if I don't manage to find a better answer.

gcusello · ‎02-06-2023

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-06-2023

Hi @xeyer10891,

no it isn't possible.

the only workaround is dividing alerts in different apps, but it isn't possible have a structured savedsearch.conf or local folder.

Ciao.

Giuseppe

xeyer10891 · ‎02-06-2023

Thanks a lot!

gcusello · ‎02-06-2023

Hi @xeyer10891,

see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Splitting huge savedsearches.conf file into multiple files

Other

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting