Reporting
Highlighted

One-liner to disable all scheduled searches?

SplunkTrust
SplunkTrust

Is there a command via splunk.exe or another /bin tool to disable all saved searches on a particular splunk instance? Does splunk require some of the default searches to run?

Highlighted

Re: One-liner to disable all scheduled searches?

Motivator

I think you can do ./splunk add saved-search and ./splunk remove saved-search but not disable it.

By the way, ./splunk help and ./splunk help commands come in pretty handy when fiddling with the CLI.

0 Karma
Highlighted

Re: One-liner to disable all scheduled searches?

Super Champion

I don't think splunk needs any searches to run for its own internal purposes. There are some default dashboards that rely on save searches (like "Top five sourcetypes") so they will not show up properly (or as efficiently), but none of splunk's internals will blow up if you disable scheduled searches.

It appears that you can disable the scheduler entirely using the following setting in default-mode.conf:

[pipeline:scheduler]
disabled = true

You could bundle this is in an app and deploy it. Of course this would require a splunkd restart. This is done by default in Splunk 4.1 light forwarder. I realize this isn't exactly what your asking for, but it may work depending on your scenario.

View solution in original post

Highlighted

Re: One-liner to disable all scheduled searches?

Splunk Employee
Splunk Employee

Splunk does not require any scheduled searches to run. The only default scheduled searches are just for populating some of the status dashboards. They will just load slower without the schedule, if you use them at all.

0 Karma
Highlighted

Re: One-liner to disable all scheduled searches?

Splunk Employee
Splunk Employee

This may only work in 4.1 and up. It may work in 4.0, but I'm not certain and don't have a 4.0 to check against.

0 Karma