Reporting

One-liner to disable all scheduled searches?

muebel
SplunkTrust
SplunkTrust

Is there a command via splunk.exe or another /bin tool to disable all saved searches on a particular splunk instance? Does splunk require some of the default searches to run?

1 Solution

Lowell
Super Champion

I don't think splunk needs any searches to run for its own internal purposes. There are some default dashboards that rely on save searches (like "Top five sourcetypes") so they will not show up properly (or as efficiently), but none of splunk's internals will blow up if you disable scheduled searches.

It appears that you can disable the scheduler entirely using the following setting in default-mode.conf:

[pipeline:scheduler]
disabled = true

You could bundle this is in an app and deploy it. Of course this would require a splunkd restart. This is done by default in Splunk 4.1 light forwarder. I realize this isn't exactly what your asking for, but it may work depending on your scenario.

View solution in original post

Lowell
Super Champion

I don't think splunk needs any searches to run for its own internal purposes. There are some default dashboards that rely on save searches (like "Top five sourcetypes") so they will not show up properly (or as efficiently), but none of splunk's internals will blow up if you disable scheduled searches.

It appears that you can disable the scheduler entirely using the following setting in default-mode.conf:

[pipeline:scheduler]
disabled = true

You could bundle this is in an app and deploy it. Of course this would require a splunkd restart. This is done by default in Splunk 4.1 light forwarder. I realize this isn't exactly what your asking for, but it may work depending on your scenario.

gkanapathy
Splunk Employee
Splunk Employee

This may only work in 4.1 and up. It may work in 4.0, but I'm not certain and don't have a 4.0 to check against.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Splunk does not require any scheduled searches to run. The only default scheduled searches are just for populating some of the status dashboards. They will just load slower without the schedule, if you use them at all.

0 Karma

ftk
Motivator

I think you can do ./splunk add saved-search and ./splunk remove saved-search but not disable it.

By the way, ./splunk help and ./splunk help commands come in pretty handy when fiddling with the CLI.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...