- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How can I transition my use cases on the Splunk In...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I transition my use cases on the Splunk Instance into separate applications?
Hello,
I inherited my Splunk instance from the previous owner and they had built out all of their indexes/ dashboards in the search & reporting app. I want to have different permissions for indexes and dashboards so I need to transition all of my use cases into separate applications.
One part I don't understand is where do all of the private dashboards/reports/searches of all my users live? Do they remain in the search & reporting app and it doesn't matter because they're private?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
check out this answer and the file hierarchy diagram.
https://answers.splunk.com/answers/521173/does-anyone-have-splunk-file-structure-diagram.html
its important to distinguish between app level items and private items as they are saved under different locations within the etc directory.
will recommend to first change all items (knowledge objects, views, reports, etc) permissions to app level.
then, decide how to split, divide and concur. create new apps and move the now app based files to the new relevant app.
for example, user = joe has a saved search named joe_saved_search in a private mode which he saved from search app. this search will be in savedsearches.conf under the /etc/users/joe/search/savedsearches.conf
when you will modify permission to "app" you the file will be now under /etc/apps/search/local/ directory.
now you can take that savedsearches. conf (or portions of it) and create a new savedsearches.conf in the new app you desire.
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all private dashboards, reports etc. will be in $SPLUNK_HOME/etc/users directory...they can only be seen by users who has created and admin only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so really the only migrations I need to worry about is the public objects?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes only public shared objects
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
