Attempting to use savedsearches.conf to create saved searches associated with my app. The issue I seem to have is the searches within the file do not show up in the Manager. I have removed the vsid= portion, I have left that part in. Nothing seems to work. I want to have my saved searches self contained in the app as the app is deployed without having to manually create the saved search through the GUI.
Below is an example of one of the 3 in the file not showing up at all.
[Admin - Real-time Searches over last 24 hours]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliesttime = -24h@h
dispatch.latesttime = now
displayview = flashtimeline
request.uidispatchview = flashtimeline
search = index=* sourcetype=audittrail searchid='rt*' | transaction searchid | table timestamp searchid search totalruntime resultcount user
I assume you are editing the file directly? did you refresh after making the changes? here's a related post:
You could also force a refresh on all splunkd resources (use with caution!) by accessing this URL:
Attempted both of these suggestions and the queries still do not show up in the manager.
I have restarted the search head several times as well.
I have deleted the app, deleted the saved queries from the GUI, and had the app redeployed and I have the same issue.
This is perhaps a dumb suggestion; if so, I apologize. But are you sure that you have selected the proper app in the Manager? There are two selectors at the top of the page: App Context and Owner. There is also a checkbox for "Show only objects created in this app context." And, what user account did you use to login to Splunk - was it the same one that you used to create the app and the saved searches?
If you can't figure it out in the Splunk Manager, you can look at the underlying configuration files. Here are the files that affect your application and search visibility:
$SPLUNK_HOME/etc/apps/YOURAPP/default/app.conf $SPLUNK_HOME/etc/apps/YOURAPP/local/app.conf $SPLUNK_HOME/etc/apps/YOURAPP/metadata/default.meta $SPLUNK_HOME/etc/apps/YOURAPP/metadata/local.meta $SPLUNK_HOME/etc/apps/YOURAPP/default/savedsearches.conf $SPLUNK_HOME/etc/apps/YOURAPP/local/savedsearches.conf $SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml $SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml
When the same file appears in both the local and the default folders, Splunk combines the two. If any settings conflict, the local version will override the default. You can edit these files directly, but you should make a backup copy of the file before you change it. Here is more info about the config files.
Finally - if you can't find the savedsearches.conf file in the app folders, or if it doesn't contain the searches you expect, it may be because the app and/or the searches are private to the user that created them. In that case, you will find the files under
In the end, your searches should show up in the Manager - if you are logged in as the proper user (or admin) and you have selected the proper app and options in the Manager. If they don't, you should probably file a support ticket. All the other suggestions here are a little tangential to your original question...