Solved: Migrating Saved Search from 3.x to 4.x

Simon · ‎04-12-2010

Hi folks

Is there a way to manually migrate saved searches from splunk 3.x to 4.x? The problem is that I didn't upgrade my splunk instance but rather built a new splunk instance beside and let my forwarders send the data to both instances so I miss now my saved searches on the new splunk 4.x box.

Thanks for hints, Simon

gkanapathy · ‎04-12-2010

In general, you should be able to just copy the 3.x saved search stanza from savedsearches.conf to a savedsearches.conf file in 4.x. Note however that in 4.x, savedsearches.conf can't sit in etc/system, and must be in an app and run in an app context. (Migration moves them to the search app.)

There are a couple of search syntax changes and a couple of search commands that may have changed, but the vast majority should work without change.

View solution in original post

gkanapathy · ‎04-12-2010

In general, you should be able to just copy the 3.x saved search stanza from savedsearches.conf to a savedsearches.conf file in 4.x. Note however that in 4.x, savedsearches.conf can't sit in etc/system, and must be in an app and run in an app context. (Migration moves them to the search app.)

There are a couple of search syntax changes and a couple of search commands that may have changed, but the vast majority should work without change.

Simon · ‎04-13-2010

Thanks, that's good to hear!

Migrating Saved Search from 3.x to 4.x

Tips & Tricks When Using Ingest Actions

Announcing Our Splunk MVPs

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!