You can turn off saved searches that are not required using one of the following two methods:

• Use Splunk Web
• Edit the savedsearches.conf configuration file

Follow these steps to turn off the search using Splunk Web:

1. In the Splunk app, navigate to Settings > Searches, Reports and Alerts.
2. In the Name column, find your saved search.
3. Click Edit.
4. Click Deactivate / Turn off.

If the searches that write to a specific KV Store collection are not required and can be turned off, set the disabled flag to True or 1 in the savedsearches.conf configuration file.

You can also turn off the saved search by adding the search to your local savedsearches.conf configuration file using the following CURL command:

curl –location –request POST 'https://<host>:<mPort>/servicesNS/nobody/{app}/saved/searches' \ -k -u <username>:<password> \ –header 'Content-Type: application/x-www-form-urlencoded' \ –data-urlencode 'name=My Saved Search' --data-urlencode 'disabled=1' \ --data-urlencode 'owner=nobody' \ --data-urlencode 'description=description text' \ --data-urlencode 'search="index=main"' \ --data-urlencode 'dispatch.index_earliest=-7d' --data-urlencode 'dispatch.index_latest=now'