Splunk Search

Splunk Saved and Scheduled Search

abhayneilam
Contributor

Hi,

I created a saved search and also I created an alert which was scheduled on every friday. Now, last friday I received an alert but I dont want to receive that alert any more, I want to delete it , When I went to delete the search I dint find it, I dont know where that search , saved search has gone, there is no scheduled search . I have checked in my unix box as well, but dint find anything , except in ...etc/app_nam/metadata/local.meta.local, I found the saved search name here only and no where else.
Could you please help me how to stop this alert ? what is happening why this search is generating alert ? or If someone deleted the alert how it is coming ? or who has deleted If it is possible to find out ..

Many thanks for your help !!

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not sure how much it'll help, but below query can give list of all saved searches present in your splunk instance.

| rest /services/saved/searches | table title, eai:acl.app,eai:acl.owner, splunk_server,cron_schedule, description, action.email, action.email.sendresults, action.email.to, action.script, alert.expires, alert_type,    eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing, qualifiedSearch

You should be able to find this along with the information about app under which it is present. If you find your search within result of this query, go the respective app and delete it (from UI or savedsearches.conf file within app folder). If not, below query can give you details if it was deleted from UI.

index="_internal" sourcetype="splunkd_access" method="DELETE"  NameOfYourSearch

abhayneilam
Contributor

But I am not getting any result with the query " index="_internal" sourcetype="splunkd_access" method="DELETE"

So I am not able to see the user name as well

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The query to get deleted objects will give result only if the object was deleted via Splunk Web UI. Please ensure the time range is correctly selected. The query result (if any) should have a field call user who deleted the object.

0 Karma

abhayneilam
Contributor

Is it possible to find you who has deleted that search, if it is deleted by someone

0 Karma

abhayneilam
Contributor

After giving index="_internal" sourcetype="splunkd_access" method="DELETE" updates_active_user_48h_sample_uniqueIMSI , I am not getting any output .. it is coming 0 no results found

0 Karma

grijhwani
Motivator

You will (probably) find it under $SPLUNKHOME/etc/users/${your account}/${appname}/local/savedsearches.conf.

Your problem is likely not knowing which "application" you added the search from.

0 Karma

abhayneilam
Contributor

I am getting the name of the saved search under :
etc/apps/app_name/metadata/local.meta.old.

Is this something which is annoying me

0 Karma

abhayneilam
Contributor

I have just checked but did not get that saved search name in the above location. I am also using find command with xargs in greping the saved search name under "etc" directory but nothing is coming

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...