Activate or deactivate saved searches from content packs
The guided setup for the content packs enables you to activate or deactivate all the saved searches of the content packs.
Prerequisites
You must have the admin
or itoa_admin
role to activate or deactivate the saved searches of the content packs.
Roles for activating and deactivating saved searches
Refer to following table to identify which role is required to activate or deactivate saved searches of the content pack.
Content pack | Role that activates / deactivates saved searches |
---|---|
Splunk App for Content Packs version 1.9.0 or earlier | admin |
Splunk App for Content Packs version 2.0.0 or later | itoa_admin, admin |
Custom Content Pack created in ITSI version 4.16.0 (Created using "Content Authorship") | admin |
Custom Content Pack created in ITSI version 4.17.0 (Created using "Content Authorship") | itoa_admin, admin |
All the saved searches of Splunk App for Content Packs version 2.0.0 are deactivated by default.
Content Pack lister page
Content pack tiles now display the status of saved searches.
Saved search status will not be displayed if the content pack does't have any saved searches.
Saved search status can be in one of the following states:
- All Saved Searches activated: This text displays if all the Saved Searches of the content pack are activated.
- All Saved Searches deactivated: This text displays if all the Saved Searches of the content pack are deactivated.
- X/Y Saved Searches deactivated: This text displays when some (but not all) of the saved searches are deactivated (where X is the number of saved searches in a deactivated state and Y is the total number of saved searches in the content pack).
In addition, ITSI shows tiles for the following four content packs that do not have ITE Work or ITSI objects, but only have saved searches. ITSI users can perform actions on the saved searches of these content packs as well:
- ITE Work Alert Routing
- NetApp Data ONTAP Dashboards and Reports
- Unix Dashboards and Reports
- VMware Dashboards and Reports
The following screenshot shows a representative content pack lister page.
ITE Work users now see tiles for following five additional content packs that have saved searches only. ITE Work users can perform actions on the saved searches of these content packs as well:
- ITE Work Alert Routing
- NetApp Data ONTAP Dashboards and Reports
- Unix Dashboards and Reports
- VMware Dashboards and Reports
- ITSI Monitoring and Alerting
The following screenshot shows tiles and saved search notations for featured content packs in ITE Work.
Modify status of saved searches of the content pack
Users can modify the status of saved searches of any content pack from the guided setup for installation. The following options are visible in the guided setup for content packs having saved searches:
- Activate all saved searches: This option activates all of the saved searches of the content pack.
- Deactivate all saved searches: This option deactivates all of the saved searches of the content pack.
- Retain current status of saved searches: This option keeps the status of the saved searches as is.
Content packs with saved searches and ITE Work/ITSI objects
In content packs that have saved searches and ITE Work or ITSI objects, the "Modify status of saved searches" option is displayed in the 4th position of the guided setup for installation, as shown in the following screenshot:
When the installation completes, users can view all objects that were successfully installed and the status of the saved searches, as shown in the following example.
Status of saved searches will only be visible if you select the Activate or Deactivate option of saved searches.
Content packs that only have saved searches
In content packs that have saved searches but no ITE Work or ITSI objects, only "Modify status of saved searches" option is displayed by the guided setup for installation, as the following example from installation of the content pack for NetApp Data ONTAP Dashboards and Reports shows:
When the installation completes, you can view the status of the saved searches, as shown in the following example.
Status of saved searches will only be visible if you select the Activate or Deactivate option of saved searches.
CreateContentPacks | Create a single entity in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!