Hi, Thought I might get some help here. I installed Splunk and when I login first time I changed the settings for admin user including default app, It was by default launcher, but I selected to be none. So now if I go into admin settings page I don't see the app selected (which is supposed to happen). But when I see under Access Controls->users page, for admin user I still see "launcher" in default app column. Is this normal behavior? The reason I want no app is I would like make all the conf changes under $SPLUNKHOME/etc/apps/system/local instead of a specific app.
Thanks for your response.
You still see launcher because that's the default app globally. You can override that per role, without anything set there the global value carries over. That can again be overridden per user, without anything set there the role value carries over.
Your approach cannot really work though, because you always are within an app when logged into the Splunk UI. Take a look at your Settings URLs, they always contain an app name after /manager/
unless they are inherently system-wide settings such as licensing.
In order to specifically drop configurations in system/local you should edit the .conf files there.
Depending on what you're trying to do it may be better practice to create an app specifically for your configuration though.
Hi Martin,
Thanks for clarification. I do see those apps names in the URLs, but I still had a question, when I add inputs in the GUI, (I was changing the sourcetype, creating new sourcetype), I see the props.conf created under system/local and inputs.conf created under search (I was in search app). Wondering why props.conf created in global?
Thanks for your response.