Hello Splunk Community,
I’m reaching out for guidance on handling Knowledge Objects (KOs) that reside in the default directory of their respective apps and cannot be deleted from the Splunk UI.
We observed that:
• Some KOs throw the message:
“This saved search failed to handle removal request”
which, as documented, is likely because the KO is defined in both the local and default directories.
I have a couple of questions:
1. Can default directory KOs be deleted manually via the filesystem or another method, if not possible through the UI?
2. Is there a safe alternative such as disabling them if deletion is not possible?
3. From a list of KOs I have, how can I programmatically identify which ones reside in the default directory?
Also, is there a recommended way to handle overlapping configurations between default and local directories, especially when clean-up or access revocation is needed?
Any best practices, scripts, or documentation references would be greatly appreciated!
Hi @amanthri ,
Disabling the KO is the safest option from your savedsearches.conf
[<name_of_your aved_search>]
disabled = 1
you can placed in the local directory /local/savedsearches.conf, it will effectively overide from the default
this works for the other KOs too.
1. Yes. If the UI cannot delete a KO then it must be removed by other means, including editing the .conf file. Best Practice is to update the app that defines the KO and then re-install the app.
2. Yes, if disabling is available then that is a safe option.
3. Use btool. It will apply proper config file precedence and show where each setting came from.
splunk btool --debug <<config file base name>> list