Turn off saved searches that use specific KV Store collections
Turn off saved searches that use KV Store collections if they are not required.
You can turn off saved searches that are not required using one of the following two methods:
- Use Splunk Web
- Edit the
savedsearches.confconfiguration file
Follow these steps to turn off the search using Splunk Web:
- In the Splunk app, navigate to Settings and then select Searches, Reports and Alerts.
- In the Name column, find your saved search.
- Select Edit.
- Select Turn off.
If the searches that write to a specific KV Store collection are not required and can be turned off, set the disabled flag to True or 1 in the savedsearches.conf configuration file.
You can also turn off the saved search by adding the search to your local savedsearches.conf configuration file using the following CURL command:
curl –location –request POST 'https://<host>:<mPort>/servicesNS/nobody/{app}/saved/searches' \ -k -u <username>:<password> \ –header 'Content-Type: application/x-www-form-urlencoded' \ –data-urlencode 'name=My Saved Search' --data-urlencode 'disabled=1' \ --data-urlencode 'owner=nobody' \ --data-urlencode 'description=description text' \ --data-urlencode 'search="index=main"' \ --data-urlencode 'dispatch.index_earliest=-7d' --data-urlencode 'dispatch.index_latest=now'