Reporting

Change report query

jxjackso
Explorer

Is it possible to change the query for a report and save it with the original name? When I tru to do so, Splunk gives me an error that the report already exists.

The reason I want to edit this particular report is that I need to exclude the ip of my load balancer since it performs health checks every 5 seconds. I'd like to do so without having to save the altered report to a new one, deleting the existing report, then cloning the new report to the same name as the old one.

Labels (1)
Tags (2)
2 Solutions

Paolo_Prigione
Builder

Hi, you should be able to do so through the Manager:

Manager->Searches and reports->Edit

make sure you under the proper application while doing it.

View solution in original post

ftk
Motivator

You have two options:

  1. Via the webinterface, go to Manager > Searches and reports and track down your search. If you know the name of the search you can even search for it. Click the name of the search you want to edit. Edit the search in the Search box and click Save. All done!
  2. Look for savedsearches.conf. This may be in one of many locations, depending on the owner and sharing permissions you have set for the search. Look in the following directories: $SPLUNK_HOME/etc/search/local/, $SPLUNK_HOME/etc/apps/my_custom_app/local/, $SPLUNK_HOME/etc/users/user_name/search/local/. Once you have found the correct file, just look for the saved search you want to edit and modify the search = line to edit the search.

View solution in original post

kramerthefirst
Engager

I don't see any Manager link either. Could someone please clarify?

0 Karma

kramerthefirst
Engager

Never mind. In my Splunk version, it's apparently called settings. Thanks!

0 Karma

jeanneraymond
Engager

You have to rerun the report for the "Save" button to be enabled. For example, on the Reports page, click "Open in Search" make your changes to the query, then click the Search (magnifying glass) icon to run the revised query. The "Save" button should then be enabled.
Run search
Save is enabled

kintax
Engager

Hi. I don't see anything called "Manager" nor can I find any other way of editing a report query and saving it as the same report. Has this changed since 2010?,Can this please be updated for a current version of Splunk? I don't see any way to edit the query used for the report and I don't see anything called "Manager" Really wish there was an "Edit Report" function that let you do what it said it did.

hbazan
Path Finder

When you open a saved report (using .../report_builder_display?...) you've got several button s above the results (Export / Print / ... / Edit Report). The Edit Report option opens the report editor on a new window, and there you got the "Save" or "Save as" options. But I've found that if you change a number of things, the Save option disappear (for instance going back and forth between "define report" and "format Report").

0 Karma

jxjackso
Explorer

Both of you, thanks for the answer.

What confused me was the existence of the "Edit Report" button.
That button name implies you can modify the report. Which is partly true. You can change graphing options, labels, etc and hit apply to save those changes. But you can't save a new query from the "Edit Report" button. Maybe when you hit edit report, there should be a link or something that can take you to the manager page where you edit the report query.

Either way, you guys answered my question. Thanks.

0 Karma

ftk
Motivator

You have two options:

  1. Via the webinterface, go to Manager > Searches and reports and track down your search. If you know the name of the search you can even search for it. Click the name of the search you want to edit. Edit the search in the Search box and click Save. All done!
  2. Look for savedsearches.conf. This may be in one of many locations, depending on the owner and sharing permissions you have set for the search. Look in the following directories: $SPLUNK_HOME/etc/search/local/, $SPLUNK_HOME/etc/apps/my_custom_app/local/, $SPLUNK_HOME/etc/users/user_name/search/local/. Once you have found the correct file, just look for the saved search you want to edit and modify the search = line to edit the search.

Paolo_Prigione
Builder

Hi, you should be able to do so through the Manager:

Manager->Searches and reports->Edit

make sure you under the proper application while doing it.

kmugglet
Communicator

Stating the Obvious. For version 6, replace Manager with Settings.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...