I am working in an 5.x environment with several searchheads and several indexers. When I go the the UI, I can find my dashboards, searches, etc. But, with full root access to the unix file system, I cannot find the source files.
It's been a while since I worked with splunk at the development level, but this is driving me crazy as it doesn't seem like rocket science. Yet, for example, I have a dashboard called XTA_dashboard. I cannot find any files named, or containing this text, except for in log files. Where would this custom dashboard be saved, on the searchhead, and in what folder, assuming an app called xta_app.
Thanks
Check the dashboards permissions (apps -> your_app -> View Objects). Just found out that if sharing is set to private, it's not placed in the app local directory, but hidden somewhere else. Changing the sharing to App places the dashboard into the apps local/data/ui/views folder.
This was with Splunk 7.1.2 so it might not be entirely accurate for Splunk 5.
Are you using search head pooling?
If search head pooling is enabled, "active" configurations are located on shared storage instead of in $SPLUNK_HOME/etc. The mount point splunk uses is set in $SPLUNK_HOME/etc/system/local/server.conf, in the "storage" attribute of the [pooling] stanza.
saved searches
- $/splunk/etc/apps/xta_app/default/savedsearches.conf
dashboards
Did you check the search head or indexer that it was created on? If you can't find the app then I'm not sure where it would be but check to see if the dashboard is saved in the search app.
splunk@sh1:/hosting/apps/splunk/etc>$ find . -name xta_app
$
no such folder exists
Is there a deployed apps folder in etc? If there is look in there.
If you click on apps or app management it will show you a list of all apps that are installed. It has name, folder name, version etc.
it shows xta_app under the foldername field, but no such folder exists on the searchhead.
What does it say on the gui under folder name?
Not sure where I should look for a folder name. I'm looking at the views in Manager and see no folder name listed. Just "view name" "owner" "app" "sharing" "status" and "actions"
Also, did you look in the deployed apps folder?
Thanks jclehmuth
This is exactly what I would have thought. But, I am looking at the $/splunk/etc/apps folder on the search head on which I am using the gui, and no xta_app directory exists. Thus the reason I'm stumped.
I mean to ask where the custom dashboard would be, on the searchhead, or on the indexer, and in what folder....