Hello everyone.
The scenario:
I create a saved search using Splunk web
I want to use the search to populate a lookup table, so I add the relevant lines directly to the entry in savedsearches.conf (action.populate_lookup), and save. (These configurations can't be added through Manager, as far as I know)
Later, I want to make a change to the saved search, and do so through the Manager within web GUI. I click Save.
I notice that the lookup population configuration lines in savedsearches.conf have been deleted, apparently due to the entire stanza being overwritten by Splunk web.
The question:
Is there any way to avoid this scenario, i.e. have Splunk web be non-destructive to the saved search stanzas? Or could this be considered a bug?
Thanks,
Noah
... View more