Solved: Re: How to find find my reports and alert coming f...

vikashperiwal · ‎05-27-2021

Hi Team,

Need help in identifying how can we find the path/directory of my alers and reports..

For ex all my alerts and reports are stored in defualt.meta .... Where can I see this path/directory name from UI to prove this

gcusello · ‎05-28-2021

Hi @vikashperiwal,

you could restrict Developers to access the Production environment.

Anyway, tell me if i can help you more.

If this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated 😉

View solution in original post

gcusello · ‎05-27-2021

Hi @vikashperiwal,

alerts and reports are stored in the savedsearches.conf file, that you can find in the "local" (also in default, but usually they are in local) folder of each app or system.

In default.meta and local.meta you can find the owners and the grants of al the objects of your app (also alerts and reports).

Ciao.

Giuseppe

vikashperiwal · ‎05-27-2021

Thanks for the quick response @gcusello , I understand the physical location , but my ask here is do we see any |rest call or another option from where I can see the path...

Like the end user do not want to see the physically where it is stored but want to see in path if the report/ alert is comming from default or local...

gcusello · ‎05-27-2021

Hi @vikashperiwal,

using the rest command:

| rest /services/saved/searches

you can see all the available information about alerts and reports but there isn't the local/default location.

Anyway, in local there are al the savedsearched that were modified by someone, so usually you should find all objects in local folder, but it isn't sure.

But, only for curiosity, why your end user should be interested to know the folder of the saverdearches.conf file?

Ciao.

Giuseppe

vikashperiwal · ‎05-27-2021

Basically they want to make sure no one has write access to these objects....and we are make release and putting the alerts and reports to defualt location

gcusello · ‎05-27-2021

Hi @vikashperiwal,

the best approach to your requirement is design with great attention the roles and the grants on the knowledge objects.

Because manually moving objects from local to default folders it's an hard job that must be done with high attention and frequently repeate (when you have to modify something) and requests a Splunk restart on Search Heads.

In other words: avoid it if you don't want to die!

Ciao.

Giuseppe

vikashperiwal · ‎05-27-2021

Haha....gotcha....

Just one last thing if we do deployment via svn(our KO), do that go to the local directory and not the defualt? Just curious to know

gcusello · ‎05-27-2021

Hi @vikashperiwal,

what do you mean that you do deployment using svn?

We're speaking of alerts and reports that are on Search Heads and it's strange to use svn for this.

If then you have a Search Head Cluster it isn't possible!

What's your architecture?

Anyway using svn you should have to restart Splunk every time you upgrade something.

Ciao.

Giuseppe

vikashperiwal · ‎05-28-2021

Yes , the plan is to have weekly once release or pushing the KO via svn, and this would make owner of KO as nobody..hence we would restrict any developer to do changes on fly..

gcusello · ‎05-28-2021

Hi @vikashperiwal,

you could restrict Developers to access the Production environment.

Anyway, tell me if i can help you more.

If this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated 😉

How to find find my reports and alert coming from which directory

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform