Very interesting. It is not widely known but the admin section is actually extremely dynamic, and is controlled in large part by all the XML files you'll find in etc/apps/search/default/data/ui/manager/ The files there are a part of EAI, which stands for Extensible Administration Interface, and the "eai" prefix that you see in certain places in the rest api still. It is indeed extensible, and you can see some apps like DBConnect do indeed extend it quite powerfully.
Also the refresh endpoints I believe are able to refresh those XML files from disk. It's possible that Splunk was unable to reach those files at the moment when you hit the refresh endpoint? Perhaps verify that all those xml files are actually there in the right place and hit the refresh endpoint again ?
I did find that the entire default directory was missing. I've restored from fresh install of the same Splunk version.
Are http://splunk/en-US/debug/refresh?entity=/data/ui/nav and http://splunk/en-US/debug/refresh?entity=/data/ui/view the correct endpoint to refresh?
Great - I believe the relevant refresh endpoint is actually http://splunk/en-US/debug/refresh?entity=/admin/manager
/data/ui/nav refreshes all the
*/data/ui/nav/default.xml files from all apps.
/data/ui/views refreshes all the
*/data/ui/views/*.xml from all apps.
When in doubt, you can just hit the refresh endpoint with no entity specified and it can take a really long time on some platforms, but it will refresh them all.
Thank you very. This did bring back the all the settings. Hate to be a bother but can you tell me how I get the files in /etc/apps/search/local/data/ui/views to be seen? I don't see the dashboards.
I did that refresh but dashboards in the location still do not show up. Maybe if I move them to another location it might pick them up?
Hi @techn0gichida - If @sideview was able to answer your question, please don't forget to resolve the post by clicking "Accept" below the answer. Thank you!
if I'm going to http://mySplunk:8000/en-US/debug/refresh?entity=/data/ui/view, suggestions on where to look next? I've checked all the files in /etc/apps/search/.../views/manager are have 644 permissions, owned by splunk.
This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <link type="text/css" id="dark-mode" rel="stylesheet" href=""/> <style type="text/css" id="dark-mode-custom-style"/> <messages> <msg type="ERROR">Forbidden</msg> </messages> </response>
Ah thanks - sorry there was a typo in my response. The URL is
and it was missing the "s" on the end, which is why you were getting that error. Add the "s" and it will work. Also I will go and edit my comment above to fix that typo.