Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Savedsearches.conf changes not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Savedsearches.conf changes not working
Attempting to use savedsearches.conf to create saved searches associated with my app. The issue I seem to have is the searches within the file do not show up in the Manager. I have removed the vsid= portion, I have left that part in. Nothing seems to work. I want to have my saved searches self contained in the app as the app is deployed without having to manually create the saved search through the GUI.
Below is an example of one of the 3 in the file not showing up at all.
[Admin - Real-time Searches over last 24 hours]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index=* sourcetype=audittrail search_id='rt*' | transaction search_id | table timestamp search_id search total_run_time result_count user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is perhaps a dumb suggestion; if so, I apologize. But are you sure that you have selected the proper app in the Manager? There are two selectors at the top of the page: App Context and Owner. There is also a checkbox for "Show only objects created in this app context." And, what user account did you use to login to Splunk - was it the same one that you used to create the app and the saved searches?
If you can't figure it out in the Splunk Manager, you can look at the underlying configuration files. Here are the files that affect your application and search visibility:
$SPLUNK_HOME/etc/apps/YOURAPP/default/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/default.meta
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/local.meta
$SPLUNK_HOME/etc/apps/YOURAPP/default/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml
When the same file appears in both the local and the default folders, Splunk combines the two. If any settings conflict, the local version will override the default. You can edit these files directly, but you should make a backup copy of the file before you change it. Here is more info about the config files.
Finally - if you can't find the savedsearches.conf file in the app folders, or if it doesn't contain the searches you expect, it may be because the app and/or the searches are private to the user that created them. In that case, you will find the files under
$SPLUNK_HOME/etc/users/USERNAME/YOURAPP/*
In the end, your searches should show up in the Manager - if you are logged in as the proper user (or admin) and you have selected the proper app and options in the Manager. If they don't, you should probably file a support ticket. All the other suggestions here are a little tangential to your original question...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what happened but we upgraded to 4.2.5 and magically started working.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempted both of these suggestions and the queries still do not show up in the manager.
I have restarted the search head several times as well.
I have deleted the app, deleted the saved queries from the GUI, and had the app redeployed and I have the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you are editing the file directly? did you refresh after making the changes? here's a related post:
http://splunk-base.splunk.com/answers/8696/how-ro-reload-global-savedsearches
You could also force a refresh on all splunkd resources (use with caution!) by accessing this URL:
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
