Security

Encountered the following error while trying to update: In handler 'savedsearch': Cannot find viewstate with vsid="XXXXX" while saving the searches?

Hemnaath
Motivator

I have got ticket for a user facing the above mentioned problem for quiet some times, when user is trying to save the saved search reports from settings -search & reports -search name - XXXX , he is getting the above mentioned error, but he could save other reports with his name.
Even as a admin user when tried to save the report it throws the same error.

I had followed this steps to trouble shoots but did not work out.
1) Checked the permission level and modified to read/write to this user for this particular app -search but no luck.
2) I have verified the savedsearch.conf and viewstate.conf and could not find the search details & vsid="xxxx" information. So created the saved search with same details with vsid="xxxx" and restarted, but no luck.
3) under this path /opt/splunk/etc/apps/search/metadata/local.meta , I could not see the search information or the owner information. should I need to create this stanza in local.meta

[savedsearches/Cisco]
modtime = 1342788232.129847000 - What is this stand for ?
version = 4.3.1
owner = xxxx

[viewstates/flashtimeline%3Ah4v9ekgh]
owner = nobody
modtime = 1342788211.984089000
version = 4.3.1 -- Is this a splunk app version ?
export = system

Details -
Splunk version 6.0.3 version

splunk_access.log details :

127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.635 -0400] "GET /services HTTP/1.0" 200 8371 - - - 2ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.642 -0400] "GET /servicesNS/xxxxx/search/data/ui/manager?count=-1 HTTP/1.0" 200 510940 - - - 58ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.884 -0400] "GET /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 200 27960 - - - 28ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.921 -0400] "GET /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 200 27960 - - - 21ms
127.0.0.1 - xxxx [01/Jul/2016:05:16:58.947 -0400] "POST /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 400 186 - - - 7ms

splunkd.log details -
07-01-2016 05:16:58.954 -0400 ERROR SavedSearchAdminHandler - Cannot find viewstate with vsid="xxxx"

Please do let me know how to fix this issue.
thanks in advance

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

I cannot tell you how it got broken, but to fix it, just go to CLI on your search head, find the associated savedsearches.conf file, edit it, find the associated search stanza and delete the vsid= line.

View solution in original post

0 Karma

woodcock
Esteemed Legend

I cannot tell you how it got broken, but to fix it, just go to CLI on your search head, find the associated savedsearches.conf file, edit it, find the associated search stanza and delete the vsid= line.

0 Karma

Hemnaath
Motivator

thanks Woodcock, In the search head under the path /opt/splunk/etc/apps/search/local/savedsearches.conf, did not find any stanza related to this saved search. I had checked the same in the viewstates.conf but nothing was related to this search. So I had created the same search query and saved it in the savedsearches.conf and corresponding viewstates.conf, finally restarted the service but still its throwing the same error.

[Cisco ]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
cron_schedule = * * * * *
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = source="/var/log/syslog_info" _raw=DUAL-3-SIA _raw!=INDIVIDUAL earliest=-30d@h | table _time, _raw | sort -_time
vsid = xxxx

Viewstates.conf -

[flashtimeline:xxxx] - Same Vsid value given in the savedsearches.conf
AxisScaleFormatter_0_18_0.default = ""
ButtonSwitcher_0_8_0.selected = splIcon-results-table
ChartTypeFormatter_0_13_0.default = column
Count_0_7_1.default = 50
DataOverlay_0_13_0.dataOverlayMode = none
DataOverlay_0_13_0.default = none
FieldPicker_0_5_1.fields = host,sourcetype,source,User
FieldPicker_0_5_1.sidebarDisplay = True
FlashTimeline_0_4_1.height = 94px
FlashTimeline_0_4_1.minimized = False
JSChart_0_13_1.height = 300px
LegendFormatter_0_19_0.default = right
MaxLines_0_13_0.default = 10
MaxLines_0_13_0.maxLines = 10
NullValueFormatter_0_18_0.default = gaps
RowNumbers_0_12_0.default = true
RowNumbers_0_12_0.displayRowNumbers = true
RowNumbers_1_12_0.default = true
RowNumbers_1_12_0.displayRowNumbers = true
Segmentation_0_14_0.default = full
Segmentation_0_14_0.segmentation = full
SoftWrap_0_11_0.enable = True
SplitModeFormatter_0_17_0.default = false
StackModeFormatter_0_16_0.default = default
YAxisRangeMaximumFormatter_0_17_0.default = ""
YAxisRangeMinimumFormatter_0_16_0.default = ""

please do let us know is any other way we can resolve this problem. Even in the /opt/splunk/etc/apps/search/metadata/local.meta, I could not see the stanza related to this saved search.
thanks in Advance.

0 Karma

woodcock
Esteemed Legend

There are 2 possible savedsearches.conf file locations depending on the Permission of the search. For Private permission, it is $SPLUNK_HOME/etc/users/YourUser/YourApp/local/savedsearches.conf. For App and Global permission, it is $SPLUNK_HOME/etc/apps/YourApp/local/savedsearches.conf. You have to find the correct search and delete the broken viewstate (like I said in the beginning).

0 Karma

Hemnaath
Motivator

thank Woodcock, You are right, I have checked the path /opt/splunk/etc/users/username/search/local/savedsearches.conf and deleted the VSID = XXXX from the saved search. I have got this above information from file system pooling not in the search heads. After finding the correct search from the savedsearches.conf file, deleted the VSID =xxxx stanza from the search and restarted the splunk service in the search heads.
There is no VSID = XXXX in viewstates.conf so did not change any settings.

Now the user can edit and save the searches from the setting-->search-->reporting--searchAPP--CISCO.

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...