Re: Searches and reports Cache

pero1234 · ‎08-04-2011

How to clean Searches and reports cache?

I just rename stanza from [Report TEST] to [Report All Users] in my savedsearches.conf but that report on email is still under name 'Report TEST'!!!

After research all my savedsearches.conf files I saw that I have another [Report TEST] and my new one [Report All Users] with the same parameters and search!

/opt/splunk/etc/apps/search/local/savedsearches.conf

[Report TEST]
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */10 * * * *
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = index=myindex sourcetype=mysourcetype test1

/opt/splunk/etc/apps/search/local/savedsearches.conf

[Report All Users]
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */10 * * * *
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
search = index=myindex sourcetype=mysourcetype test1

'Report TEST' works but 'Report All Users' don't!!!! Why?????

hjwang · ‎08-05-2011

Restart your splunk to reload new configure file

pero1234 · ‎08-05-2011

Restart did not help!

Searches and reports Cache

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...