Security

How to copy savedsearches.conf from one user to another?

hartfoml
Motivator

I have a user that use to run reports for his group. he has left the company. Since I am using scripted authentication most of the users profile information does not show up in the management GUI. I can see the savedsearches.conf for for the departed user and I would like to copy the entire saved search into the new employees profile so that they can take over the responsibilities. I am concerned about the VSID number and what it will mean if I copy or don't copy this number into the new employees profile?

Will this cause a problems when I copy the saved search to the new profile?

1 Solution

somesoni2
Revered Legend

You can remove the vsid attribute from savedsearches.conf and move the file to new user's profile. A Splunk refresh (http(s)://splunk_servver:port/en-US/debug/refresh) or restart will be required.

View solution in original post

somesoni2
Revered Legend

You can remove the vsid attribute from savedsearches.conf and move the file to new user's profile. A Splunk refresh (http(s)://splunk_servver:port/en-US/debug/refresh) or restart will be required.

skender27
Contributor

Hi,

I almost have the same issue.
Does it work (removing the row vsid) also when you copy the savedsearch.conf file from an old Splunk Enterprise to a new one?

Thanks,
Skender

0 Karma

somesoni2
Revered Legend

Yes...!!!!

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...