it's in defined in the role as "default app" in manager > access controls > Roles > ....
And can be overwritten by the users in their own user preferences.
I do not know who win in case of roles inheritance, or users members of multiple roles.
Do which conf file I would edit in stead of using the Web UI? I prefer to do all management through conf files with an large env. Thanks
Actually, although most things on that page are set in authorize.conf, the "default app" setting ends up in user-prefs.conf, written to etc/apps/
Ugh. Yes, thanks. Splunkbase mangled my comment. I guess if you use corner brackets in a comment it thinks you're trying to write xml.
Today I had to deal with this issue, and I found out that the path in the hosts of our cluster is
We have version 6.2.5
In user-prefs.conf file write this:
Like to admin give default app as search
defaultnamespace = search