Hello,
I inherited my Splunk instance from the previous owner and they had built out all of their indexes/ dashboards in the search & reporting app. I want to have different permissions for indexes and dashboards so I need to transition all of my use cases into separate applications.
One part I don't understand is where do all of the private dashboards/reports/searches of all my users live? Do they remain in the search & reporting app and it doesn't matter because they're private?
hello there,
check out this answer and the file hierarchy diagram.
https://answers.splunk.com/answers/521173/does-anyone-have-splunk-file-structure-diagram.html
its important to distinguish between app level items and private items as they are saved under different locations within the etc directory.
will recommend to first change all items (knowledge objects, views, reports, etc) permissions to app level.
then, decide how to split, divide and concur. create new apps and move the now app based files to the new relevant app.
for example, user = joe has a saved search named joe_saved_search in a private mode which he saved from search app. this search will be in savedsearches.conf under the /etc/users/joe/search/savedsearches.conf
when you will modify permission to "app" you the file will be now under /etc/apps/search/local/ directory.
now you can take that savedsearches. conf (or portions of it) and create a new savedsearches.conf in the new app you desire.
hope it helps
all private dashboards, reports etc. will be in $SPLUNK_HOME/etc/users
directory...they can only be seen by users who has created and admin only.
so really the only migrations I need to worry about is the public objects?
yes only public shared objects
thank you!