Splunk Search

How to find find my reports and alert coming from which directory

vikashperiwal
Path Finder

Hi Team,

 

Need help in identifying how can we find the path/directory of my alers and reports..

 

For ex all my alerts and reports are stored in defualt.meta .... Where can I see this path/directory name from UI to prove this

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

you could restrict Developers to access the Production environment.

Anyway, tell me if i can help you more.

If this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated 😉

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

alerts and reports are stored in the savedsearches.conf file, that you can find in the "local" (also in default, but usually they are in local) folder of each app or system.

In default.meta and local.meta you can find the owners and the grants of al the objects of your app (also alerts and reports).

Ciao.

Giuseppe

0 Karma

vikashperiwal
Path Finder

Thanks for the quick response @gcusello , I understand the physical location , but my ask here is do we see any |rest call or another option from where I can see the path...

 

Like the end user do not want to see the physically where it is stored but want to see in path if the report/ alert is comming from default or local...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

using the rest command:

| rest /services/saved/searches

you can see all the available information about alerts and reports but there isn't the local/default location.

Anyway, in local there are al the savedsearched that were modified by someone, so usually you should find all objects in local folder, but it isn't sure.

But, only for curiosity, why your end user should be interested to know the folder of the saverdearches.conf file?

Ciao.

Giuseppe

vikashperiwal
Path Finder

Basically they want to make sure no one has write access to these objects....and we are make release and putting the alerts and reports to defualt location

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

the best approach to your requirement is design with great attention the roles and the grants on the knowledge objects.

Because manually moving  objects from local to default folders it's an hard job that must be done with high attention and frequently repeate (when you have to modify something) and requests a Splunk restart on Search Heads.

In other words: avoid it if you don't want to die!

Ciao.

Giuseppe

0 Karma

vikashperiwal
Path Finder

Haha....gotcha....

 

Just one last thing if we do deployment via svn(our KO), do that go to the local directory  and not the defualt? Just curious to know

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

what do you mean that you do deployment using svn?

We're speaking of alerts and reports that are on Search Heads and it's strange to use svn for this.

If then you have a Search Head Cluster it isn't possible!

What's your architecture?

Anyway using svn you should have to restart Splunk every time you upgrade something.

Ciao.

Giuseppe

0 Karma

vikashperiwal
Path Finder

Yes , the plan is to have weekly once release or pushing the KO via svn, and this would make owner of KO as nobody..hence we would restrict any developer to do changes on fly..

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vikashperiwal,

you could restrict Developers to access the Production environment.

Anyway, tell me if i can help you more.

If this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...