Security

How to copy savedsearches.conf from one user to another?

hartfoml
Motivator

I have a user that use to run reports for his group. he has left the company. Since I am using scripted authentication most of the users profile information does not show up in the management GUI. I can see the savedsearches.conf for for the departed user and I would like to copy the entire saved search into the new employees profile so that they can take over the responsibilities. I am concerned about the VSID number and what it will mean if I copy or don't copy this number into the new employees profile?

Will this cause a problems when I copy the saved search to the new profile?

1 Solution

somesoni2
Revered Legend

You can remove the vsid attribute from savedsearches.conf and move the file to new user's profile. A Splunk refresh (http(s)://splunk_servver:port/en-US/debug/refresh) or restart will be required.

View solution in original post

somesoni2
Revered Legend

You can remove the vsid attribute from savedsearches.conf and move the file to new user's profile. A Splunk refresh (http(s)://splunk_servver:port/en-US/debug/refresh) or restart will be required.

skender27
Contributor

Hi,

I almost have the same issue.
Does it work (removing the row vsid) also when you copy the savedsearch.conf file from an old Splunk Enterprise to a new one?

Thanks,
Skender

0 Karma

somesoni2
Revered Legend

Yes...!!!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...