- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Is it possible to copy savedsearches.conf from...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to copy savedsearches.conf from an old Splunk app to a recent one (newest Splunk version)?
Hi,
The requirement is to have the same dashboard (lots of href links to searches in Splunk organized in blockes) when building up a new Splunk distributed platform.
I am thinking to reuse the same savedsearches.conf (a large one made in html) from a Splunk 5.0.9 to a recent version and so copying it under the same app local folder...
What issues should I consider (except removing the vsid row from each search saved)?
Thanks a lot,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to copy the savedsearches.conf and corresponding local.meta entries (yourApp/metadata folder). The local.meta would define the permissions and scope (visibility) for the searches (required).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunatelly no (should I override the existing folder?).
In fact, it is unnecessary now because some of them are obsolete . Well in this case I think I have to re-create all the searches which feed the href links of the dashboard.
I will let you know,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I tried deleting the vsid attributes from the copied savedsearches.conf, but still i couldn't get the old searches.
Probably because of different Splunk versions: the old one was a Enterprise 5.0.8 and the new one was a 6.4.
Could it be the reason?
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And did you copy the .meta entries as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, I will try next week and I'll share how this behaves.
Thanks a lot,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Precision: "a large one made in html" I mean the dashboard, not the .conf file.
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Should be perfectly fine. Give it a try and let me know the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can try this only the next week...
I will share all the results about this issue.
Thanks,
Skender
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
