All,
I just installed Splunk_TA_nix and noticed that it's tags are quite expensive. I'd like to limit the knowledge object to searching and reporting and "MyCustomApp". How would I copy and modify default.meta in that situation?
vi default.meta
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = system
[savedsearches]
owner = admin
## Exclude export of custom alert actions
[alert_actions/email]
export = none
I don't know if it's possible to export knowledge objects to certain apps. As far as I know is either "global" or nothing. However, if you haven't done so already, you should try to edit tags.conf and possibly eventtypes.conf to optimize the tagging. Make sure that the searches only search in relevant indexes, at least.