I have got ticket for a user facing the above mentioned problem for quiet some times, when user is trying to save the saved search reports from settings -search & reports -search name - XXXX , he is getting the above mentioned error, but he could save other reports with his name.
Even as a admin user when tried to save the report it throws the same error.
I had followed this steps to trouble shoots but did not work out.
1) Checked the permission level and modified to read/write to this user for this particular app -search but no luck.
2) I have verified the savedsearch.conf and viewstate.conf and could not find the search details & vsid="xxxx" information. So created the saved search with same details with vsid="xxxx" and restarted, but no luck.
3) under this path /opt/splunk/etc/apps/search/metadata/local.meta , I could not see the search information or the owner information. should I need to create this stanza in local.meta
[savedsearches/Cisco]
modtime = 1342788232.129847000 - What is this stand for ?
version = 4.3.1
owner = xxxx
[viewstates/flashtimeline%3Ah4v9ekgh]
owner = nobody
modtime = 1342788211.984089000
version = 4.3.1 -- Is this a splunk app version ?
export = system
Details -
Splunk version 6.0.3 version
splunk_access.log details :
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.635 -0400] "GET /services HTTP/1.0" 200 8371 - - - 2ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.642 -0400] "GET /servicesNS/xxxxx/search/data/ui/manager?count=-1 HTTP/1.0" 200 510940 - - - 58ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.884 -0400] "GET /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 200 27960 - - - 28ms
127.0.0.1 - xxxxx [01/Jul/2016:05:16:58.921 -0400] "GET /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 200 27960 - - - 21ms
127.0.0.1 - xxxx [01/Jul/2016:05:16:58.947 -0400] "POST /servicesNS/xxxx/search/saved/searches/Cisco%20-%20Critical%20and%20Alert%20%28ASA%20only%29 HTTP/1.0" 400 186 - - - 7ms
splunkd.log details -
07-01-2016 05:16:58.954 -0400 ERROR SavedSearchAdminHandler - Cannot find viewstate with vsid="xxxx"
Please do let me know how to fix this issue.
thanks in advance
I cannot tell you how it got broken, but to fix it, just go to CLI on your search head, find the associated savedsearches.conf
file, edit it, find the associated search stanza and delete the vsid=
line.
I cannot tell you how it got broken, but to fix it, just go to CLI on your search head, find the associated savedsearches.conf
file, edit it, find the associated search stanza and delete the vsid=
line.
thanks Woodcock, In the search head under the path /opt/splunk/etc/apps/search/local/savedsearches.conf, did not find any stanza related to this saved search. I had checked the same in the viewstates.conf but nothing was related to this search. So I had created the same search query and saved it in the savedsearches.conf and corresponding viewstates.conf, finally restarted the service but still its throwing the same error.
[Cisco ]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
cron_schedule = * * * * *
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = source="/var/log/syslog_info" _raw=DUAL-3-SIA _raw!=INDIVIDUAL earliest=-30d@h | table _time, _raw | sort -_time
vsid = xxxx
Viewstates.conf -
[flashtimeline:xxxx] - Same Vsid value given in the savedsearches.conf
AxisScaleFormatter_0_18_0.default = ""
ButtonSwitcher_0_8_0.selected = splIcon-results-table
ChartTypeFormatter_0_13_0.default = column
Count_0_7_1.default = 50
DataOverlay_0_13_0.dataOverlayMode = none
DataOverlay_0_13_0.default = none
FieldPicker_0_5_1.fields = host,sourcetype,source,User
FieldPicker_0_5_1.sidebarDisplay = True
FlashTimeline_0_4_1.height = 94px
FlashTimeline_0_4_1.minimized = False
JSChart_0_13_1.height = 300px
LegendFormatter_0_19_0.default = right
MaxLines_0_13_0.default = 10
MaxLines_0_13_0.maxLines = 10
NullValueFormatter_0_18_0.default = gaps
RowNumbers_0_12_0.default = true
RowNumbers_0_12_0.displayRowNumbers = true
RowNumbers_1_12_0.default = true
RowNumbers_1_12_0.displayRowNumbers = true
Segmentation_0_14_0.default = full
Segmentation_0_14_0.segmentation = full
SoftWrap_0_11_0.enable = True
SplitModeFormatter_0_17_0.default = false
StackModeFormatter_0_16_0.default = default
YAxisRangeMaximumFormatter_0_17_0.default = ""
YAxisRangeMinimumFormatter_0_16_0.default = ""
please do let us know is any other way we can resolve this problem. Even in the /opt/splunk/etc/apps/search/metadata/local.meta, I could not see the stanza related to this saved search.
thanks in Advance.
There are 2 possible savedsearches.conf
file locations depending on the Permission
of the search. For Private
permission, it is $SPLUNK_HOME/etc/users/YourUser/YourApp/local/savedsearches.conf
. For App
and Global
permission, it is $SPLUNK_HOME/etc/apps/YourApp/local/savedsearches.conf
. You have to find the correct search and delete the broken viewstate (like I said in the beginning).
thank Woodcock, You are right, I have checked the path /opt/splunk/etc/users/username/search/local/savedsearches.conf and deleted the VSID = XXXX from the saved search. I have got this above information from file system pooling not in the search heads. After finding the correct search from the savedsearches.conf file, deleted the VSID =xxxx stanza from the search and restarted the splunk service in the search heads.
There is no VSID = XXXX in viewstates.conf so did not change any settings.
Now the user can edit and save the searches from the setting-->search-->reporting--searchAPP--CISCO.