Re: Searches and reports Cache

pero1234 · ‎08-04-2011

How to clean Searches and reports cache?

I just rename stanza from [Report TEST] to [Report All Users] in my savedsearches.conf but that report on email is still under name 'Report TEST'!!!

After research all my savedsearches.conf files I saw that I have another [Report TEST] and my new one [Report All Users] with the same parameters and search!

/opt/splunk/etc/apps/search/local/savedsearches.conf

[Report TEST]
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */10 * * * *
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = index=myindex sourcetype=mysourcetype test1

/opt/splunk/etc/apps/search/local/savedsearches.conf

[Report All Users]
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */10 * * * *
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = index=myindex sourcetype=mysourcetype test1

'Report TEST' works but 'Report All Users' don't!!!! Why?????

hjwang · ‎08-05-2011

Restart your splunk to reload new configure file

pero1234 · ‎08-05-2011

Restart did not help!

Searches and reports Cache

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation