Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to split the default savedsearches.conf from the local one?

hunterpj
Path Finder
‎06-27-2018 11:50 AM

I am using a search command to find the savedsearches.conf for an alert. I created a search which can list all of the parameters in the savedsearches.conf, however it merges both the default and local savedsearches.conf for that alert. the search I use is below:

| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=INSERT_APP_NAME"
| search title="INSERT_ALERT_TITLE"
| rename eai:acl.app as app, eai:acl.perms.read as read, eai:acl.sharing as sharing
| fields - updated published id eai*
| fields title author splunk_server app read sharing *
| eval title="[".title."]"
| foreach * [eval title=if("<>"="author" OR "<>"="splunk_server" OR "<>"="app" OR "<>"="read"  OR "<>"="sharing" OR "<>"="title" OR '<>'="",title,mvappend(title,"<>"."="."\"".'<>'."\""))]
| fields title author splunk_server app read sharing
| search title=**

Is there any way for me to only see the local portion of the savedsearches.conf?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2018 12:17 PM

The only way to do that is using the CLI, either with btool or by directly examining the app's local/savedsearches.conf file.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2018 12:17 PM

The only way to do that is using the CLI, either with btool or by directly examining the app's local/savedsearches.conf file.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-27-2018 12:20 PM

Or like recommended in the other question https://answers.splunk.com/answers/668401/need-to-find-conf-files-on-a-splunk-interface-only.html#an... by using the Web Terminal App https://splunkbase.splunk.com/app/1607/ and run btool in there.

cheers, MuS

Reply
Solved! Jump to solution

hunterpj
Path Finder
‎06-27-2018 12:59 PM

The Web Terminal kept crashing on my originally, but after I restarted the instance once it worked. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...