Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Saved Search runs after Uninstallation of App

vr2312
Builder
‎11-23-2017 06:40 AM

I installed an App from Splunkbase for Testing purposes.

The app came with Custom Searches which i had scheduled as per the testing phase.

I had uninstalled the app, however, i can still see searches run from the app though the app no longer exists.

it is not creating much of a trouble but i am wondering from where the searches are being run and how i can stop it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vr2312
Builder
‎12-06-2017 05:46 AM

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vr2312
Builder
‎12-06-2017 05:46 AM

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

0 Karma
Reply
Solved! Jump to solution

ybongart_splunk
Splunk Employee
Splunk Employee
‎11-23-2017 08:40 AM

If you made any changes to saved searches in the app, check your user folder for personal copies of the app, specifically in $SPLUNK_HOME/etc/users/{user}/{app}/local/savedsearches.conf

See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfiledirectories

Also, you should see the search listed under Settings->Searches, Reports, and Alerts.

There you may be able to see the Owner and if "Sharing" is "Private" then it will be found under $SPLUNK_HOME/etc/users/...

You can also disable it from there by selecting Actions->Edit->Disable.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...