I inherited my Splunk instance from the previous owner and they had built out all of their indexes/ dashboards in the search & reporting app. I want to have different permissions for indexes and dashboards so I need to transition all of my use cases into separate applications.
One part I don't understand is where do all of the private dashboards/reports/searches of all my users live? Do they remain in the search & reporting app and it doesn't matter because they're private?
all private dashboards, reports etc. will be in
$SPLUNK_HOME/etc/users directory...they can only be seen by users who has created and admin only.
check out this answer and the file hierarchy diagram.
its important to distinguish between app level items and private items as they are saved under different locations within the etc directory.
will recommend to first change all items (knowledge objects, views, reports, etc) permissions to app level.
then, decide how to split, divide and concur. create new apps and move the now app based files to the new relevant app.
for example, user = joe has a saved search named joesavedsearch in a private mode which he saved from search app. this search will be in savedsearches.conf under the /etc/users/joe/search/savedsearches.conf
when you will modify permission to "app" you the file will be now under /etc/apps/search/local/ directory.
now you can take that savedsearches. conf (or portions of it) and create a new savedsearches.conf in the new app you desire.
hope it helps