Reporting

Savedsearches.conf changes not working

brantramey
Explorer

Attempting to use savedsearches.conf to create saved searches associated with my app. The issue I seem to have is the searches within the file do not show up in the Manager. I have removed the vsid= portion, I have left that part in. Nothing seems to work. I want to have my saved searches self contained in the app as the app is deployed without having to manually create the saved search through the GUI.
Below is an example of one of the 3 in the file not showing up at all.

[Admin - Real-time Searches over last 24 hours]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index=* sourcetype=audittrail search_id='rt*' | transaction search_id | table timestamp search_id search total_run_time result_count user

Tags (1)

lguinn2
Legend

This is perhaps a dumb suggestion; if so, I apologize. But are you sure that you have selected the proper app in the Manager? There are two selectors at the top of the page: App Context and Owner. There is also a checkbox for "Show only objects created in this app context." And, what user account did you use to login to Splunk - was it the same one that you used to create the app and the saved searches?

If you can't figure it out in the Splunk Manager, you can look at the underlying configuration files. Here are the files that affect your application and search visibility:

$SPLUNK_HOME/etc/apps/YOURAPP/default/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/default.meta
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/local.meta
$SPLUNK_HOME/etc/apps/YOURAPP/default/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml

When the same file appears in both the local and the default folders, Splunk combines the two. If any settings conflict, the local version will override the default. You can edit these files directly, but you should make a backup copy of the file before you change it. Here is more info about the config files.

Finally - if you can't find the savedsearches.conf file in the app folders, or if it doesn't contain the searches you expect, it may be because the app and/or the searches are private to the user that created them. In that case, you will find the files under

$SPLUNK_HOME/etc/users/USERNAME/YOURAPP/*

In the end, your searches should show up in the Manager - if you are logged in as the proper user (or admin) and you have selected the proper app and options in the Manager. If they don't, you should probably file a support ticket. All the other suggestions here are a little tangential to your original question...

brantramey
Explorer

Not sure what happened but we upgraded to 4.2.5 and magically started working.

Thanks.

0 Karma

brantramey
Explorer

Attempted both of these suggestions and the queries still do not show up in the manager.

I have restarted the search head several times as well.
I have deleted the app, deleted the saved queries from the GUI, and had the app redeployed and I have the same issue.

joshd
Builder

I assume you are editing the file directly? did you refresh after making the changes? here's a related post:

http://splunk-base.splunk.com/answers/8696/how-ro-reload-global-savedsearches

You could also force a refresh on all splunkd resources (use with caution!) by accessing this URL:

https://yourhost:8000/en-US/debug/refresh

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...