Solved: After upgrading to 6.5.0, why are we receiving "In...

dpanych · ‎11-09-2016

We upgraded to 6.5.0 from 6.4.x, and now every time we attempt to save a change made to an alert, we get the following error:

In handler 'savedsearch': Could not flush changes to disk: /nobody/search/savedsearches/Test/search: ConfPathMapper: C:\Program Files\Splunk\etc\apps\search\local
On 6.4.x, saving changes worked 100% and now on 6.5.0 it does not. We didn't do anything unusual with the upgrade. What could this be? I checked both Splunk and Windows file system permissions and they both seem fine.

dpanych · ‎12-02-2016

Figured out the cause. I guess having (1) Splunk_TA_nix - version 5.1.2 and (2) config_analytics - version 1.8 installed on Splunk 6.5.x causes the file-write issue. We removed the config_analytics app and things are working smoothly again.

View solution in original post

dpanych · ‎12-02-2016

Figured out the cause. I guess having (1) Splunk_TA_nix - version 5.1.2 and (2) config_analytics - version 1.8 installed on Splunk 6.5.x causes the file-write issue. We removed the config_analytics app and things are working smoothly again.

scott_sackrider · ‎06-27-2019

How did you find this out? Having a similar issue, but the suspected apps aren't installed. Appreciate the note.

After upgrading to 6.5.0, why are we receiving "In handler 'savedsearch': Could not flush changes to disk" error when modifying an alert?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases