I have done a search here and see that this was a big issue for some of the older versions of Splunk, but I seem to be facing this in 6.4.2 as well. I am in a SH Clustered environment so I dont think removing the searches from the config files would be the correct way of doing it.
Are there any alternatives? I have a few alerts in our environment that need to be deleted, and even with admin I dont have the rights to remove them .
"even with admin I dont have the rights to remove them"
Sounds like you deployed those savedsearches from Deployer, and they are located in SPLUNK_HOME/etc/apps/default
If that's the case, only solution is to remove those savedsearches in savedsearches.conf in the default directory.
If you're using a Deployer, remove those savedsearches in savedsearches.conf in the default directory, then deploy apps to SHC must resolve the issue.
"even with admin I dont have the rights to remove them"
Sounds like you deployed those savedsearches from Deployer, and they are located in SPLUNK_HOME/etc/apps/default
If that's the case, only solution is to remove those savedsearches in savedsearches.conf in the default directory.
If you're using a Deployer, remove those savedsearches in savedsearches.conf in the default directory, then deploy apps to SHC must resolve the issue.
Usually his is a file system permissions issue. For example if Splunk ran as root when the search was created, and now it's running as a less priviledged user, it can write to the savedsearches.conf that is owned by root.
Good thing to try is to recursively change the owner of the directory to the correct Splunk user.
So if you need help with this, let us know if you're on windows or linux.
Ah thanks for the info. Im on a linux server. I'll take a look to see what the permissions are set at right now
Check on the SHs and the SHC Deployer /etc/shcluster/apps dir too.
Heres what I got:
Deployer-----
/opt/splunk/etc/shcluster/apps/APP_WHERE_SEARCH_IS/local
-rw-r--r-- 1 splunk splunker 113452 Sep 23 09:53 savedsearches.conf
SHs----
/opt/splunk/etc/apps/APP_WHERE_SEARCH_IS/local
-rw------- 1 splunk splunker 20765 Oct 13 14:37 savedsearches.conf
How about the default folder on the SH?
I guess masa beat me to it.
Kudos on your help though, thanks for leading me to the water 🙂