Alerting

6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

sbrice36
Explorer

I am having an issue with saved searches and alerts after my 6.2.1 upgrade. The upgrade appears to be successful and everyone can navigate fine. However, it was just reported that saved searches and alerts are no longer present. I have a clustered environment with my main server running "deployment server/search head/license server/forwarder" I then have 6 remote forwarders and 2 indexers. Everything is reporting fine on phone home. I need to get my saved searches back and saved alerts. I know there is a savedsearches.conf, when I compared the two, they appear to be exact. Is there anything else I need to re-enable or refresh after an upgrade?

0 Karma
1 Solution

sbrice36
Explorer

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

View solution in original post

0 Karma

sbrice36
Explorer

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

check the metadata entries are still intact for saved searches (etc/apps//metadata/local.meta)

0 Karma

sbrice36
Explorer

Thank you, taking a look now!

0 Karma

sbrice36
Explorer

/search-head/etc/apps/search/metadata "default.meta" On the backup directory it's 5660 in size, permissions set to -rw-rw-r-- .On the upgrade directory its 5701 in size, and permissions are -r--r--r--

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...