![]() I'll review the docs and try to make it easier to find the material that I've linked to above. I'm the tech writer in charge of this sort of thing. App-level write permissions are usually only granted to users with admin-equivalent roles.įor more information about disabling or deleting knowledge objects (such as saved searches) see. 7.Auto restart splunk daily at 2:00 AM UTC so that memory will be released. 5.Scheduled this search every 5 minutes so it will save in the cache. This applies to knowledge objects that are shared globally as well as those that are only shared within an app-all knowledge objects belong to a specific app, no matter how they are shared. 2.Set dashboard refresh time to every 5 minutes. To delete all other knowledge objects, you need to have write permissions for the application to which they belong. Once a knowledge object you've created is shared with other users, your ability to delete it is revoked, unless you have write permissions for the app to which they belong (see the next point). ![]() You can delete knowledge objects that you have created, and which haven't been shared. Only objects that exist in an app's "local" directory are eligible for deletion. It can only be disabled (by clicking Disable). If the knowledge object definition resides in the app's default directory, it can't be removed via Manager. You cannot delete default knowledge objects that were delivered with Splunk (or with the app) via Manager. Here are the rules that control whether or not you can delete a saved search in Manager: Permissions are important, especially when it comes to deleting saved searches and other knowledge objects (as well as editing them). Click on the name of the search you created you should be taken to a details page, and if you have the correct permissions, you should be able to edit it there and save your changes. Then click on the Searches and Reports link to see a list of all of the saved searches that you have either created or have been given permission to view and/or edit. Go to the Manager link at the upper right-hand side of the Splunk page and click it if you're unfamiliar with it. All knowledge objects can be edited and managed via Manager. ![]() See also search command search command overview search command syntax details search. search fieldA'value2' If you use a wildcard for the value, NOT fieldA returns events where fieldA is null or undefined, and fieldA never returns any events. Saved searches are a type of knowledge object (along with other kinds of user-created metadata like event types, tags, lookups, transactions, workflow actions, and so on). The following search returns events where fieldA exists and does not have the value 'value2'. To edit or delete a saved search, you need to use Splunk Manager, as Becky states above.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |