I installed an App from Splunkbase for Testing purposes.
The app came with Custom Searches which i had scheduled as per the testing phase.
I had uninstalled the app, however, i can still see searches run from the app though the app no longer exists.
it is not creating much of a trouble but i am wondering from where the searches are being run and how i can stop it.
Thanks for the input @ybongart
Sorted the answer by myself.
The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.
Thanks for the input @ybongart
Sorted the answer by myself.
The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.
If you made any changes to saved searches in the app, check your user folder for personal copies of the app, specifically in $SPLUNK_HOME/etc/users/{user}/{app}/local/savedsearches.conf
See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfiledirectories
Also, you should see the search listed under Settings->Searches, Reports, and Alerts.
There you may be able to see the Owner and if "Sharing" is "Private" then it will be found under $SPLUNK_HOME/etc/users/...
You can also disable it from there by selecting Actions->Edit->Disable.