Is there a way to perform a mass update (or search+replace) on user defined searches? One at a time (300+ searches/reports/etc.) using the GUI feels unproductive.
Splunk Enterprise version 6.3.3
I've done this in the past from the file system
find /opt/splunk/etc/apps/ -name 'savedsearches.conf' | xargs 'sed -i s/sourcetype=\"wineventlog:midwayusa\"/sourcetype=\"wineventlog:midwayusa\" OR sourcetype=httpErrorLog/g'
That of course assumes you are using a Unix OS. The -i option in the sed command does a replace in file. You can create a backup of the original file by changing it to the following.
sed -i.bak
that will add a savedsearches.conf.bak for each file it changes.
I suggest testing first.
After you've updated, you will need to run a debug refresh on the Splunk instances the changes were made
http://localhost:8000/en-US/debug/refresh <-- example. but replace localhost with your server of course.
Thank you. We are using Linux. I sent the command to our Splunk admin and he said the GUI is the only way to update the queries. Mass changes to the file system would not be possible because of how Splunk is configured.
Thanks again.
Perhaps you could write a script/program that uses the API or SDK to update the searches. Check out the SDK for your favorite language at http://docs.splunk.com/Documentation/SDK or look at saved/searches/{name} in the REST API manual (http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog).
@richgalloway : Thanks. Our splunk admin turned off those features. It would take longer to fill out system change request form, wait the week+ for the approval, then the time for the admin to make the change, and then the time to translate the API/SDK to a real-world working program, than to update all the queries by hand.
Are you using search head clustering OR search head pooling? Just want to get more details on " our Splunk admin and he said the GUI is the only way to update the queries.
". I've worked with both and we can update the saved searches.conf by the method provided in this answer.
@somesoni2 : Thank you for the response. I don't know. I was 'gently nudged' to update the queries by hand (chain-of-command kind of nudge). Got a feeling any further request will not be seen positively by the powers-that-be.
If you're curious, the application changes (to use the different source type) came from the splunk admin. Crazy world we live in.