Solved: Re: version controlling my search definitions?

matt_arguin · ‎12-05-2012

I am trying to find where my search definitions are kept and if there is way that i can put them in version control (in my case, SVN) so that they are included in our continuous integration. Is this possible or are the definitions rows in a db?

kristian_kolb · ‎12-05-2012

Are you talking about savedsearches.conf?

That file exists in several places, typically in;

/etc/apps/<appname>/local
/etc/system/local
/etc/users/<username>/<appname>/local

Normally no need to look in the corresponding default directories, except for apps that you yourself create.

Hope this helps,

Kristian

View solution in original post

cmeo · ‎04-09-2013

I've been looking at questions and answers about version control of knowledge in Splunk and frankly it's weak to non-existent. There's nothing in the BUI and you're on your own with text files. On non-*x platforms where svn, git, even rcs and make (for placing files) are unknown, this is getting to be a large problem with our customers especially after a few years cranking away developing their own knowledge artifacts. From what I've seen of sourcesafe and other windowsy things, you do not want to go down that road if you can avoid it. So, how about an RFE to include even very basic version control in the BUI so that your latest and maybe a couple of previous diffs of your conf files get stored somewehere, and you can roll back if you want? I shouldn't think this would be much of a stretch, and for extra credit some hooks into popular version control systems would be REALLY nice...:-) SoS is only a partial answer at best and points the way to something better.

Marinus · ‎12-07-2012

I prefer to keep them in a custom app, which you can easily move around.
On the source you can also use something like GIT, to manage not just searches but config files also.

Marinus

matt_arguin · ‎12-07-2012

Thanks Marinus, we are putting them in to puppet which in turn is VC'd in SVN (both the configs and the config searches).

kristian_kolb · ‎12-05-2012

Are you talking about savedsearches.conf?

That file exists in several places, typically in;

/etc/apps/<appname>/local
/etc/system/local
/etc/users/<username>/<appname>/local

Normally no need to look in the corresponding default directories, except for apps that you yourself create.

Hope this helps,

Kristian

matt_arguin · ‎12-06-2012

ok, well i don't know what the heck i was looking at before, but, yeah..found all the savesearches.conf's. thanks!

matt_arguin · ‎12-06-2012

that's the file... i thought i had looked there, but didn't see anything. going back to double check...

version controlling my search definitions?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation