Reporting

Savedsearches.conf changes not working

brantramey
Explorer

Attempting to use savedsearches.conf to create saved searches associated with my app. The issue I seem to have is the searches within the file do not show up in the Manager. I have removed the vsid= portion, I have left that part in. Nothing seems to work. I want to have my saved searches self contained in the app as the app is deployed without having to manually create the saved search through the GUI.
Below is an example of one of the 3 in the file not showing up at all.

[Admin - Real-time Searches over last 24 hours]
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = index=* sourcetype=audittrail search_id='rt*' | transaction search_id | table timestamp search_id search total_run_time result_count user

Tags (1)

lguinn2
Legend

This is perhaps a dumb suggestion; if so, I apologize. But are you sure that you have selected the proper app in the Manager? There are two selectors at the top of the page: App Context and Owner. There is also a checkbox for "Show only objects created in this app context." And, what user account did you use to login to Splunk - was it the same one that you used to create the app and the saved searches?

If you can't figure it out in the Splunk Manager, you can look at the underlying configuration files. Here are the files that affect your application and search visibility:

$SPLUNK_HOME/etc/apps/YOURAPP/default/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/app.conf
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/default.meta
$SPLUNK_HOME/etc/apps/YOURAPP/metadata/local.meta
$SPLUNK_HOME/etc/apps/YOURAPP/default/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/local/savedsearches.conf
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml
$SPLUNK_HOME/etc/apps/YOURAPP/default/data/ui/nav/default.xml

When the same file appears in both the local and the default folders, Splunk combines the two. If any settings conflict, the local version will override the default. You can edit these files directly, but you should make a backup copy of the file before you change it. Here is more info about the config files.

Finally - if you can't find the savedsearches.conf file in the app folders, or if it doesn't contain the searches you expect, it may be because the app and/or the searches are private to the user that created them. In that case, you will find the files under

$SPLUNK_HOME/etc/users/USERNAME/YOURAPP/*

In the end, your searches should show up in the Manager - if you are logged in as the proper user (or admin) and you have selected the proper app and options in the Manager. If they don't, you should probably file a support ticket. All the other suggestions here are a little tangential to your original question...

brantramey
Explorer

Not sure what happened but we upgraded to 4.2.5 and magically started working.

Thanks.

0 Karma

brantramey
Explorer

Attempted both of these suggestions and the queries still do not show up in the manager.

I have restarted the search head several times as well.
I have deleted the app, deleted the saved queries from the GUI, and had the app redeployed and I have the same issue.

joshd
Builder

I assume you are editing the file directly? did you refresh after making the changes? here's a related post:

http://splunk-base.splunk.com/answers/8696/how-ro-reload-global-savedsearches

You could also force a refresh on all splunkd resources (use with caution!) by accessing this URL:

https://yourhost:8000/en-US/debug/refresh

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...