Is there a way to prevent users from saving knowledge objects in the Searching and Reporting app?
We are creating an app for each Department that will be using Splunk, and want all of their knowledge objects to be saved there in order to keep things better organized, prevent accidental over-sharing of reports/dashboards (oh when I said everyone could see it that meant anyone in any department!?!!), etc...
What are you trying to avoid? Users creating their own private knowledge objects in the search and reporting app? Users with write permission creating clutter for everyone else in the app since their knowledge objects are seen by everyone else? Or simply containing users within their departmental app that they should be using instead of the search app?
Knowledge objects are going to be saved from whatever app context the user is within when they are created. To force your users into the app for their department you could create roles for each department, map those users via LDAP or local auth and then set the default app context to their departmental app. If that's not feasible then you're going to have to do some user education to get people out of the search app and into their departmental app if they are going to save knowledge objects.
By default only admin and power roles have write permission in the search app. So any user with read permission will just have private knowledge objects that nobody else can see.
We are building a new Splunk environment (hardware refresh and migrating from search head pooling to clustering) and I am wanting to prevent clutter in the Search app (right now everyone seems to share all of their searches out and there is just a lot of reports and dashboards to sort through in the Search app.) We also want users from each department to save things in their Department's app to help organise things and also to let us know who owns something which is useful when an object's owner leaves and we are asked to change the owner or permissions on something.)
Part of the problem is now anyone can save and share things in the Search and Reporting app. I investigated this and it seems that currently Everyone has write access to the Search app... if that is not (and never was) the default configuration, I am not sure why we set it up that way years ago, but that will certainly change in the future.
We will be trying our best with end-user education, asking them to save to their Department's app. And the default app will be assigned by role to help by at least getting them started out in the appropriate place. With read only permissions on the search app that will help address the clutter issue as they will not be able to share anything there.
You can change the permissions of the app by going to : Apps --> Manage Apps --> find the search app and select permissions--> Change the Read/Write permissions. You could also do this by editing the default.meta config file: http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Defaultmetaconf .
You could also change the default app that the user sees upon logging into splunk by role or user: Settings --> Access Controls --> Roles|Users--> select the desired role --> Select a default app from the drop-down list under Default app.