Replies to This Discussion

Permalink Reply by Dave P on November 14, 2009 at 8:23pm

I haven't figured out how to rename them, but I did figure out that if you clone them and give them a new name, it's essentially the same thing. If it's not, I haven't discovered the difference yet.

-dave

• ▶ Reply

Permalink Reply by Michael Wilde on November 16, 2009 at 1:45pm

As of version 4.0.6. It is not possible to rename searches from the UI. However, all of splunk's configs are stored in fairly easy to understand config files. Searches, for example, are stored in "savedsearches.conf" (docs page link). Pop in to that file, edit the stanza name for that search. But where is "savedsearches.conf" stored? It depends.

If you are logged in have created/saved a search, by default it should save to $SPLUNK_HOME/etc/users/$USERNAME/$APPNAME/local/savedsearches.conf.

You can see a search object's sharing settings, which should by private by default (meaning, no other user can see/edit your search).

If you want it to be available to everyone within the app it was created in, such as the "search app" just share it.


Now if i share it, and make it available to users within my "App Context" -- and that app being the "search" app, my configuration for that search will actually move from my "user/local" directory to $SPLUNK_HOME/etc/$APPNAME/local/savedsearches.conf

You will likely have to restart your server if you change this configuration file underneath Splunk. There are a few that do not require a restart--this just isn't one of them.

• ▶ Reply

Permalink Reply by Joe Rizzo on November 16, 2009 at 5:45pm

That is what I needed. Thanks!

FYI - There is a bug in the clone operation. If you were to look at the entry for the original report and the clone in the user's savedsearches.conf you will notice that the key "displayview" is omitted from the clone.

Joe

• ▶ Reply