Splunk Search

How to mass update / search+replace user defined searches

KevinRF
Engager

Is there a way to perform a mass update (or search+replace) on user defined searches? One at a time (300+ searches/reports/etc.) using the GUI feels unproductive.

Splunk Enterprise version 6.3.3

example

Help ... About

Tags (1)
0 Karma

dcarmack_splunk
Splunk Employee
Splunk Employee

I've done this in the past from the file system

find /opt/splunk/etc/apps/ -name 'savedsearches.conf'  | xargs 'sed -i s/sourcetype=\"wineventlog:midwayusa\"/sourcetype=\"wineventlog:midwayusa\" OR sourcetype=httpErrorLog/g'

That of course assumes you are using a Unix OS. The -i option in the sed command does a replace in file. You can create a backup of the original file by changing it to the following.

sed -i.bak

that will add a savedsearches.conf.bak for each file it changes.

I suggest testing first.

After you've updated, you will need to run a debug refresh on the Splunk instances the changes were made

http://localhost:8000/en-US/debug/refresh <-- example. but replace localhost with your server of course.

KevinRF
Engager

Thank you. We are using Linux. I sent the command to our Splunk admin and he said the GUI is the only way to update the queries. Mass changes to the file system would not be possible because of how Splunk is configured.

Thanks again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps you could write a script/program that uses the API or SDK to update the searches. Check out the SDK for your favorite language at http://docs.splunk.com/Documentation/SDK or look at saved/searches/{name} in the REST API manual (http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog).

---
If this reply helps you, Karma would be appreciated.
0 Karma

KevinRF
Engager

@richgalloway : Thanks. Our splunk admin turned off those features. It would take longer to fill out system change request form, wait the week+ for the approval, then the time for the admin to make the change, and then the time to translate the API/SDK to a real-world working program, than to update all the queries by hand.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you using search head clustering OR search head pooling? Just want to get more details on " our Splunk admin and he said the GUI is the only way to update the queries.". I've worked with both and we can update the saved searches.conf by the method provided in this answer.

0 Karma

KevinRF
Engager

@somesoni2 : Thank you for the response. I don't know. I was 'gently nudged' to update the queries by hand (chain-of-command kind of nudge). Got a feeling any further request will not be seen positively by the powers-that-be.
If you're curious, the application changes (to use the different source type) came from the splunk admin. Crazy world we live in.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...