Solved: Re: 6.1.3 to 6.2.1 ugrade, Now missing saved searc...

sbrice36 · ‎03-13-2015

I am having an issue with saved searches and alerts after my 6.2.1 upgrade. The upgrade appears to be successful and everyone can navigate fine. However, it was just reported that saved searches and alerts are no longer present. I have a clustered environment with my main server running "deployment server/search head/license server/forwarder" I then have 6 remote forwarders and 2 indexers. Everything is reporting fine on phone home. I need to get my saved searches back and saved alerts. I know there is a savedsearches.conf, when I compared the two, they appear to be exact. Is there anything else I need to re-enable or refresh after an upgrade?

sbrice36 · ‎03-16-2015

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

View solution in original post

sbrice36 · ‎03-16-2015

Fixed- Thank you somesoni2, I moved the default.meta data file and restarted services and all saved alerts are back. I am not sure why that wasn't pulled over during the upgrade, but it's fixed now. The person who was going to re-write the alerts is very happy now!

somesoni2 · ‎03-13-2015

check the metadata entries are still intact for saved searches (etc/apps//metadata/local.meta)

sbrice36 · ‎03-13-2015

Thank you, taking a look now!

sbrice36 · ‎03-13-2015

/search-head/etc/apps/search/metadata "default.meta" On the backup directory it's 5660 in size, permissions set to -rw-rw-r-- .On the upgrade directory its 5701 in size, and permissions are -r--r--r--

6.1.3 to 6.2.1 ugrade, Now missing saved searches and alerts.

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?