Splunk Cloud Platform

Unable to delete unused/unwanted saved searches (Reports & Alerts) on Splunk Core SH

amanthri
New Member

Hello Splunk Community,

I’m reaching out for guidance on handling Knowledge Objects (KOs) that reside in the default directory of their respective apps and cannot be deleted from the Splunk UI.

We observed that:
• Some KOs throw the message:
“This saved search failed to handle removal request”
which, as documented, is likely because the KO is defined in both the local and default directories.

I have a couple of questions:
1. Can default directory KOs be deleted manually via the filesystem or another method, if not possible through the UI?
2. Is there a safe alternative such as disabling them if deletion is not possible?
3. From a list of KOs I have, how can I programmatically identify which ones reside in the default directory?

Also, is there a recommended way to handle overlapping configurations between default and local directories, especially when clean-up or access revocation is needed?

Any best practices, scripts, or documentation references would be greatly appreciated!

0 Karma

thahir
Communicator

Hi @amanthri , 

 

Disabling the KO is the safest option from your savedsearches.conf

[<name_of_your aved_search>]
disabled = 1

 

you can placed in the local directory /local/savedsearches.conf, it will effectively overide from the default

this works for the other KOs too.

richgalloway
SplunkTrust
SplunkTrust

1. Yes.  If the UI cannot delete a KO then it must be removed by other means, including editing the .conf file.  Best Practice is to update the app that defines the KO and then re-install the app.

2. Yes, if disabling is available then that is a safe option.

3. Use btool.  It will apply proper config file precedence and show where each setting came from.

splunk btool --debug <<config file base name>> list
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...