Splunk Saved and Scheduled Search

abhayneilam · ‎05-19-2014

Hi,

I created a saved search and also I created an alert which was scheduled on every friday. Now, last friday I received an alert but I dont want to receive that alert any more, I want to delete it , When I went to delete the search I dint find it, I dont know where that search , saved search has gone, there is no scheduled search . I have checked in my unix box as well, but dint find anything , except in ...etc/app_nam/metadata/local.meta.local, I found the saved search name here only and no where else.
Could you please help me how to stop this alert ? what is happening why this search is generating alert ? or If someone deleted the alert how it is coming ? or who has deleted If it is possible to find out ..

Many thanks for your help !!

somesoni2 · ‎05-19-2014

Not sure how much it'll help, but below query can give list of all saved searches present in your splunk instance.

| rest /services/saved/searches | table title, eai:acl.app,eai:acl.owner, splunk_server,cron_schedule, description, action.email, action.email.sendresults, action.email.to, action.script, alert.expires, alert_type,    eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing, qualifiedSearch

You should be able to find this along with the information about app under which it is present. If you find your search within result of this query, go the respective app and delete it (from UI or savedsearches.conf file within app folder). If not, below query can give you details if it was deleted from UI.

index="_internal" sourcetype="splunkd_access" method="DELETE"  NameOfYourSearch

abhayneilam · ‎05-19-2014

But I am not getting any result with the query " index="_internal" sourcetype="splunkd_access" method="DELETE"

So I am not able to see the user name as well

somesoni2 · ‎05-19-2014

The query to get deleted objects will give result only if the object was deleted via Splunk Web UI. Please ensure the time range is correctly selected. The query result (if any) should have a field call user who deleted the object.

abhayneilam · ‎05-19-2014

Is it possible to find you who has deleted that search, if it is deleted by someone

abhayneilam · ‎05-19-2014

After giving index="_internal" sourcetype="splunkd_access" method="DELETE" updates_active_user_48h_sample_uniqueIMSI , I am not getting any output .. it is coming 0 no results found

grijhwani · ‎05-19-2014

You will (probably) find it under $SPLUNKHOME/etc/users/${your account}/${appname}/local/savedsearches.conf.

Your problem is likely not knowing which "application" you added the search from.

abhayneilam · ‎05-19-2014

I am getting the name of the saved search under :
etc/apps/app_name/metadata/local.meta.old.

Is this something which is annoying me

abhayneilam · ‎05-19-2014

I have just checked but did not get that saved search name in the above location. I am also using find command with xargs in greping the saved search name under "etc" directory but nothing is coming

Splunk Saved and Scheduled Search

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

Splunk Saved and Scheduled Search

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler