Getting Data In

Is there a way to retrieve a saved search that was accidentally deleted?

Urias
Engager

Is there a way to get back a saved search which is accidentally deleted? I cannot seem to find any "recycle bin" for deleted knowledge objects within Splunk Web.
It is sometimes too easy to hit the Delete-link of the wrong saved search...

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

eugenek
Path Finder

Look in the audit log.

index=_audit  savedsearch_name="SEARCH NAME"

robertszekeres
Engager

Great answer, it works. Thx a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.
0 Karma

Urias
Engager

Thanks. I will then just have to be very careful in deleting stuff...

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...