Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

v6.4.2 Admin Can't Delete Saved Searches

paimonsoror
Builder
‎10-14-2016 05:20 AM

I have done a search here and see that this was a big issue for some of the older versions of Splunk, but I seem to be facing this in 6.4.2 as well. I am in a SH Clustered environment so I dont think removing the searches from the config files would be the correct way of doing it.

Are there any alternatives? I have a few alerts in our environment that need to be deleted, and even with admin I dont have the rights to remove them .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎10-14-2016 11:46 AM

"even with admin I dont have the rights to remove them"

Sounds like you deployed those savedsearches from Deployer, and they are located in SPLUNK_HOME/etc/apps/default
If that's the case, only solution is to remove those savedsearches in savedsearches.conf in the default directory.
If you're using a Deployer, remove those savedsearches in savedsearches.conf in the default directory, then deploy apps to SHC must resolve the issue.

View solution in original post

Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎10-14-2016 11:46 AM

"even with admin I dont have the rights to remove them"

Sounds like you deployed those savedsearches from Deployer, and they are located in SPLUNK_HOME/etc/apps/default
If that's the case, only solution is to remove those savedsearches in savedsearches.conf in the default directory.
If you're using a Deployer, remove those savedsearches in savedsearches.conf in the default directory, then deploy apps to SHC must resolve the issue.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-14-2016 05:47 AM

Usually his is a file system permissions issue. For example if Splunk ran as root when the search was created, and now it's running as a less priviledged user, it can write to the savedsearches.conf that is owned by root.

Good thing to try is to recursively change the owner of the directory to the correct Splunk user.

So if you need help with this, let us know if you're on windows or linux.

Reply
Solved! Jump to solution

paimonsoror
Builder
‎10-14-2016 07:11 AM

Ah thanks for the info. Im on a linux server. I'll take a look to see what the permissions are set at right now

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-14-2016 07:17 AM

Check on the SHs and the SHC Deployer /etc/shcluster/apps dir too.

0 Karma
Reply
Solved! Jump to solution

paimonsoror
Builder
‎10-14-2016 07:22 AM

Heres what I got:

Deployer-----
/opt/splunk/etc/shcluster/apps/APP_WHERE_SEARCH_IS/local
-rw-r--r-- 1 splunk splunker 113452 Sep 23 09:53 savedsearches.conf

SHs----
/opt/splunk/etc/apps/APP_WHERE_SEARCH_IS/local
-rw------- 1 splunk splunker 20765 Oct 13 14:37 savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-14-2016 08:13 AM

How about the default folder on the SH?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-14-2016 11:51 AM

I guess masa beat me to it.

Reply
Solved! Jump to solution

paimonsoror
Builder
‎10-20-2016 11:52 AM

Kudos on your help though, thanks for leading me to the water 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...