Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Manual additions to savedsearches.conf overwritten by web GUI

noahzstahl
Engager
‎07-13-2011 01:48 PM

Hello everyone.

The scenario:

  1. I create a saved search using Splunk web
  2. I want to use the search to populate a lookup table, so I add the relevant lines directly to the entry in savedsearches.conf (action.populate_lookup), and save. (These configurations can't be added through Manager, as far as I know)
  3. Later, I want to make a change to the saved search, and do so through the Manager within web GUI. I click Save.
  4. I notice that the lookup population configuration lines in savedsearches.conf have been deleted, apparently due to the entire stanza being overwritten by Splunk web.

The question:

Is there any way to avoid this scenario, i.e. have Splunk web be non-destructive to the saved search stanzas? Or could this be considered a bug?

Thanks,

Noah

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎07-13-2011 03:46 PM

noahzstahl,

I would think this is a bug. We should not be overwriting the entire stanza. As a workaround you can use the inputlookup and outputlookup search commands to generate the lookup file instead of savedsearches.conf settings. This allows you to achieve everything via search syntax.

Example of a descructive output each time:

search = index=_internal | stats count by host, sourcetype | outputlookup my_lookup_table

To do a non-descructive lookup (useful when tracking stuff):

search = index=_internal | stats count by host, sourcetype | inputlookup append=T my_lookup_table | stats sum(count) as count by host, sourcetype | outputlookup my_lookup_table

-David

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎07-13-2011 03:46 PM

noahzstahl,

I would think this is a bug. We should not be overwriting the entire stanza. As a workaround you can use the inputlookup and outputlookup search commands to generate the lookup file instead of savedsearches.conf settings. This allows you to achieve everything via search syntax.

Example of a descructive output each time:

search = index=_internal | stats count by host, sourcetype | outputlookup my_lookup_table

To do a non-descructive lookup (useful when tracking stuff):

search = index=_internal | stats count by host, sourcetype | inputlookup append=T my_lookup_table | stats sum(count) as count by host, sourcetype | outputlookup my_lookup_table

-David

Reply
Solved! Jump to solution

noahzstahl
Engager
‎08-23-2011 07:31 AM

Thanks David. I like the idea of including everything in the search string.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...