Dashboards & Visualizations

How can I transition my use cases on the Splunk Instance into separate applications?

katzr
Path Finder

Hello,

I inherited my Splunk instance from the previous owner and they had built out all of their indexes/ dashboards in the search & reporting app. I want to have different permissions for indexes and dashboards so I need to transition all of my use cases into separate applications.

One part I don't understand is where do all of the private dashboards/reports/searches of all my users live? Do they remain in the search & reporting app and it doesn't matter because they're private?

0 Karma

adonio
Ultra Champion

hello there,

check out this answer and the file hierarchy diagram.
https://answers.splunk.com/answers/521173/does-anyone-have-splunk-file-structure-diagram.html
its important to distinguish between app level items and private items as they are saved under different locations within the etc directory.
will recommend to first change all items (knowledge objects, views, reports, etc) permissions to app level.
then, decide how to split, divide and concur. create new apps and move the now app based files to the new relevant app.
for example, user = joe has a saved search named joe_saved_search in a private mode which he saved from search app. this search will be in savedsearches.conf under the /etc/users/joe/search/savedsearches.conf
when you will modify permission to "app" you the file will be now under /etc/apps/search/local/ directory.
now you can take that savedsearches. conf (or portions of it) and create a new savedsearches.conf in the new app you desire.

hope it helps

0 Karma

493669
Super Champion

all private dashboards, reports etc. will be in $SPLUNK_HOME/etc/users directory...they can only be seen by users who has created and admin only.

0 Karma

katzr
Path Finder

so really the only migrations I need to worry about is the public objects?

0 Karma

493669
Super Champion

yes only public shared objects

0 Karma

katzr
Path Finder

thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...