Splunk Search

Splunk Saved and Scheduled Search

abhayneilam
Contributor

Hi,

I created a saved search and also I created an alert which was scheduled on every friday. Now, last friday I received an alert but I dont want to receive that alert any more, I want to delete it , When I went to delete the search I dint find it, I dont know where that search , saved search has gone, there is no scheduled search . I have checked in my unix box as well, but dint find anything , except in ...etc/app_nam/metadata/local.meta.local, I found the saved search name here only and no where else.
Could you please help me how to stop this alert ? what is happening why this search is generating alert ? or If someone deleted the alert how it is coming ? or who has deleted If it is possible to find out ..

Many thanks for your help !!

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not sure how much it'll help, but below query can give list of all saved searches present in your splunk instance.

| rest /services/saved/searches | table title, eai:acl.app,eai:acl.owner, splunk_server,cron_schedule, description, action.email, action.email.sendresults, action.email.to, action.script, alert.expires, alert_type,    eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing, qualifiedSearch

You should be able to find this along with the information about app under which it is present. If you find your search within result of this query, go the respective app and delete it (from UI or savedsearches.conf file within app folder). If not, below query can give you details if it was deleted from UI.

index="_internal" sourcetype="splunkd_access" method="DELETE"  NameOfYourSearch

abhayneilam
Contributor

But I am not getting any result with the query " index="_internal" sourcetype="splunkd_access" method="DELETE"

So I am not able to see the user name as well

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The query to get deleted objects will give result only if the object was deleted via Splunk Web UI. Please ensure the time range is correctly selected. The query result (if any) should have a field call user who deleted the object.

0 Karma

abhayneilam
Contributor

Is it possible to find you who has deleted that search, if it is deleted by someone

0 Karma

abhayneilam
Contributor

After giving index="_internal" sourcetype="splunkd_access" method="DELETE" updates_active_user_48h_sample_uniqueIMSI , I am not getting any output .. it is coming 0 no results found

0 Karma

grijhwani
Motivator

You will (probably) find it under $SPLUNKHOME/etc/users/${your account}/${appname}/local/savedsearches.conf.

Your problem is likely not knowing which "application" you added the search from.

0 Karma

abhayneilam
Contributor

I am getting the name of the saved search under :
etc/apps/app_name/metadata/local.meta.old.

Is this something which is annoying me

0 Karma

abhayneilam
Contributor

I have just checked but did not get that saved search name in the above location. I am also using find command with xargs in greping the saved search name under "etc" directory but nothing is coming

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...