Getting Data In

Is there a way to retrieve a saved search that was accidentally deleted?

Urias
Engager

Is there a way to get back a saved search which is accidentally deleted? I cannot seem to find any "recycle bin" for deleted knowledge objects within Splunk Web.
It is sometimes too easy to hit the Delete-link of the wrong saved search...

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

eugenek
Path Finder

Look in the audit log.

index=_audit  savedsearch_name="SEARCH NAME"

robertszekeres
Engager

Great answer, it works. Thx a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.
0 Karma

Urias
Engager

Thanks. I will then just have to be very careful in deleting stuff...

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...