Reporting

How do I Delete, Edit, or Rename a search

jakesalomon
Engager

True newbie question:

After creating my first search string and saving the search, I wanted to edit it. Finding no button (what did I miss?) to accomplish that, I tried pulling it in again, edited it and tried to save it back. Result:

Error: Search with same name exists.

So I saved the edited version under a new name. Now I want to go back to delete the old search and rename the new search. I have the User manual open on my desktop and searching for strings like "delete" and "rename" leads to to all manner of misdirection [from what I seek]. (The generated list of similar questions misses this issue as well.)

If it's in the User Manual (ver.1.14), or any other manual, please direct me to the appropriate page. Or please just tell me how it's done.

Thanks much.

-- J.S.

Tags (1)

spunk311z
Path Finder

i dont understand why there is not a simple save your search phrase, (so that you can easily search that same query again in future).

then a easy way to edit that search phrase in the future.

(i see edit description, edit permissions, edit schedule, everything except the most needed, edit search)

just basic functions that users need. The advanced stuff is great, but basics are needed as well (and often more used/important on a daily basis).
tks

0 Karma

BunnyHop
Contributor

You can also go back to the configuration files (*/etc/system/local/savedsearches.conf) which should contain all your saved searches. You can then directly modify the search (if you know the search string) or remove the entry from the config file. You might need to restart Splunk after the changes. Here's the documentation for the savedsearches.conf file:

http://www.splunk.com/base/Documentation/latest/Admin/Savedsearchesconf

Also, the User Manual is neat and informative but you can also find more "admin-related" task on the Admin Manual. I would give that doc a glance:

http://www.splunk.com/base/Documentation/latest/Admin/Whatsinthismanual

This will give you more ammo in configuring the backend side of Splunk.

0 Karma

mattness
Splunk Employee
Splunk Employee

To edit or delete a saved search, you need to use Splunk Manager, as Becky states above. Saved searches are a type of knowledge object (along with other kinds of user-created metadata like event types, tags, lookups, transactions, workflow actions, and so on). All knowledge objects can be edited and managed via Manager.

Go to the Manager link at the upper right-hand side of the Splunk page and click it if you're unfamiliar with it. Then click on the Searches and Reports link to see a list of all of the saved searches that you have either created or have been given permission to view and/or edit. Click on the name of the search you created; you should be taken to a details page, and if you have the correct permissions, you should be able to edit it there and save your changes.

Permissions are important, especially when it comes to deleting saved searches and other knowledge objects (as well as editing them). Here are the rules that control whether or not you can delete a saved search in Manager:

  • You cannot delete default knowledge objects that were delivered with Splunk (or with the app) via Manager. If the knowledge object definition resides in the app's default directory, it can't be removed via Manager. It can only be disabled (by clicking Disable). Only objects that exist in an app's "local" directory are eligible for deletion.

  • You can delete knowledge objects that you have created, and which haven't been shared. Once a knowledge object you've created is shared with other users, your ability to delete it is revoked, unless you have write permissions for the app to which they belong (see the next point).

  • To delete all other knowledge objects, you need to have write permissions for the application to which they belong. This applies to knowledge objects that are shared globally as well as those that are only shared within an app--all knowledge objects belong to a specific app, no matter how they are shared. App-level write permissions are usually only granted to users with admin-equivalent roles.

For more information about disabling or deleting knowledge objects (such as saved searches) see: http://www.splunk.com/base/Documentation/latest/Knowledge/CurateSplunkknowledgewithManager#Disable_o...

I'm the tech writer in charge of this sort of thing. I'll review the docs and try to make it easier to find the material that I've linked to above.

rsimmons
Splunk Employee
Splunk Employee

You can go under manager > searches and reports and disable, clone, delete and rename it or run it.

jaxjohnny2000
Builder

https://docs.splunk.com/Documentation/Splunk/7.1.2/DistSearch/HowconfrepoworksinSHC

There is no option to rename in the Manager--> Searches and reports. There is only edit, clone, delete.

Further, the cluster only replicates changes that are made through Splunk Web, the Splunk CLI, or the REST API. If you directly edit a configuration file, the cluster does not replicate it. Instead, you must use the deployer to distribute the file to all cluster members.

If we use the SH Deployer to deliver new searches, the replication works.

So it looks like we need to create completely new objects, either via SH Deployer or Splunk Web UI, and then use the Splunk Web UI to remove the depreciated objects.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...