thomaspatzke
commented
3 months ago The problem with implementing savedsearches.conf as output format is that formats are too static. There are lots of parameters like scheduling interval, search time frames etc. that furthermore differ between log sources in practice. Therefore, the better way to go is to implement it with processing pipelines as described here. One possibility would then be to implement a finalization operation that loads the generated search via API directly from the conversion process.
One idea I had as an enhancement (as we will try to update savedsearches.conf via Rest in the future and not write directly to file): In our specific case it would make sense to have a new format "savedsearches as dict" which should return the same parameters as the finalize_*_savedsearches functions but as a python dict, so it would be easier to use Splunk Rest endpoint to write those searches to savedsearches.conf, which should be preferred for example when converting in a Splunk Search Head cluster. This case might be specific to our environment right now, but might also make sense in general as it is hard to further process the output of finalize_output_savedsearches function.