Solved: Viewstates Error when trying to save/clone/edit se...

JDukeSplunk · ‎03-24-2017

So we have a number of searches that cannot be saved or cloned due to viewstate errors. Many of them are accelerated and scheduled and I need to be able to edit them so that they run properly.

I have checked this answer HERE

I confirmed that my $SPLUNK_HOME/etc/apps/search/metadata/default.meta file has the right entry for viewstates. As shown.

I have taken some of them and recreated them as new searches, and they saved just fine. Then I can delete them without issue.

What else might I try?

woodcock · ‎03-24-2017

Go to the CLI on the Search Head, find the savedsearches.conf file that has the viewstate in it (if *nix, you can use find $SPLUNK_HOME/etc/ -name savedsearches.conf -exec grep -l hqfssli4 {} \;). Stop splunk, edit the file and REMOVE the viewstate line entirely, save it, restart splunk, enjoy. Make a backup of the file first.

View solution in original post

woodcock · ‎03-24-2017

Go to the CLI on the Search Head, find the savedsearches.conf file that has the viewstate in it (if *nix, you can use find $SPLUNK_HOME/etc/ -name savedsearches.conf -exec grep -l hqfssli4 {} \;). Stop splunk, edit the file and REMOVE the viewstate line entirely, save it, restart splunk, enjoy. Make a backup of the file first.

Viewstates Error when trying to save/clone/edit search

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...