Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find .conf files on a splunk interface which is only accessible via a URL?

hunterpj
Path Finder
‎06-25-2018 11:55 AM

I need to locate the savedsearches.conf on a Splunk web server i.e. I can only reach this Splunk instance with a URL. if there is an app that allows this to happen that would be great too. I essentially want to copy/paste these alerts from the online instance to another instance, however I can only obtain the saved search properties via job inspection, which isn't in the format I want.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-25-2018 01:47 PM

Hi hunterpj,

you can always use REST calls if you have the privilege to use them:

 | REST splunk_server=local /servicesNS/-/-/saved/searches/

will give you a list of the saved searches that are not private.

There is also an App called Web Terminal https://splunkbase.splunk.com/app/1607/ which allows you to use btool from the Splunk UI and therefore use this command to list all saved searches from any savedsearches.conf

splunk cmd btool savedsearches list --debug

remember you need to exclude all default settings from this output.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-25-2018 01:47 PM

Hi hunterpj,

you can always use REST calls if you have the privilege to use them:

 | REST splunk_server=local /servicesNS/-/-/saved/searches/

will give you a list of the saved searches that are not private.

There is also an App called Web Terminal https://splunkbase.splunk.com/app/1607/ which allows you to use btool from the Splunk UI and therefore use this command to list all saved searches from any savedsearches.conf

splunk cmd btool savedsearches list --debug

remember you need to exclude all default settings from this output.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

hunterpj
Path Finder
‎06-26-2018 10:41 AM

Is there any way to view the configurations file directly using the REST API? This helps, but isn't in the format of the savedsearches.conf as shown in the local savedsearches.conf file I have on my local instance. I am currently trying to use the REST API command configs/conf-{file}/{name}, but its not working for me.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-26-2018 06:31 PM

Might be a permission issue.
If you can use the Web Terminal and run btool you would get a list that you can use to copy / paste.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

hunterpj
Path Finder
‎06-27-2018 12:58 PM

Thank you for your help, this works.

0 Karma
Reply
Solved! Jump to solution

hunterpj
Path Finder
‎06-27-2018 02:11 PM

As another note for anyone who comes along, I used in the Web Terminal the command:
btool savedsearches list --app=SPLUNK_APP

It works really well in isolating the alerts you want by app.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...