Getting Data In

Is there a way to retrieve a saved search that was accidentally deleted?

Urias
Engager

Is there a way to get back a saved search which is accidentally deleted? I cannot seem to find any "recycle bin" for deleted knowledge objects within Splunk Web.
It is sometimes too easy to hit the Delete-link of the wrong saved search...

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

eugenek
Path Finder

Look in the audit log.

index=_audit  savedsearch_name="SEARCH NAME"

robertszekeres
Engager

Great answer, it works. Thx a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "recycle bin" for deleted knowledge objects in Splunk. You have some options, however.

  • If the savedsearch was shipped as part of an app, it may still be present in $SPLUNK_HOME/etc/apps//default/savedsearches.conf. If it is there, you can copy it to local/savedsearches.conf.
  • Restore the affected savedsearches.conf file from your last backup. Do this in a separate location and then copy only the deleted search to the current savedsearches.conf file (or create the search in the UI).
  • Look for a copy of the deleted saved search in a user's directory or in another app.
---
If this reply helps you, Karma would be appreciated.
0 Karma

Urias
Engager

Thanks. I will then just have to be very careful in deleting stuff...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...