Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: version controlling my search definitions?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to find where my search definitions are kept and if there is way that i can put them in version control (in my case, SVN) so that they are included in our continuous integration. Is this possible or are the definitions rows in a db?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you talking about savedsearches.conf?
That file exists in several places, typically in;
/etc/apps/<appname>/local
/etc/system/local
/etc/users/<username>/<appname>/local
Normally no need to look in the corresponding default directories, except for apps that you yourself create.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been looking at questions and answers about version control of knowledge in Splunk and frankly it's weak to non-existent. There's nothing in the BUI and you're on your own with text files. On non-*x platforms where svn, git, even rcs and make (for placing files) are unknown, this is getting to be a large problem with our customers especially after a few years cranking away developing their own knowledge artifacts. From what I've seen of sourcesafe and other windowsy things, you do not want to go down that road if you can avoid it. So, how about an RFE to include even very basic version control in the BUI so that your latest and maybe a couple of previous diffs of your conf files get stored somewehere, and you can roll back if you want? I shouldn't think this would be much of a stretch, and for extra credit some hooks into popular version control systems would be REALLY nice...:-) SoS is only a partial answer at best and points the way to something better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I prefer to keep them in a custom app, which you can easily move around.
On the source you can also use something like GIT, to manage not just searches but config files also.
Marinus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Marinus, we are putting them in to puppet which in turn is VC'd in SVN (both the configs and the config searches).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you talking about savedsearches.conf?
That file exists in several places, typically in;
/etc/apps/<appname>/local
/etc/system/local
/etc/users/<username>/<appname>/local
Normally no need to look in the corresponding default directories, except for apps that you yourself create.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, well i don't know what the heck i was looking at before, but, yeah..found all the savesearches.conf's. thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's the file... i thought i had looked there, but didn't see anything. going back to double check...
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
