Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Saved Search runs after Uninstallation of App

vr2312
Builder
‎11-23-2017 06:40 AM

I installed an App from Splunkbase for Testing purposes.

The app came with Custom Searches which i had scheduled as per the testing phase.

I had uninstalled the app, however, i can still see searches run from the app though the app no longer exists.

it is not creating much of a trouble but i am wondering from where the searches are being run and how i can stop it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vr2312
Builder
‎12-06-2017 05:46 AM

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vr2312
Builder
‎12-06-2017 05:46 AM

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

0 Karma
Reply
Solved! Jump to solution

ybongart_splunk
Splunk Employee
Splunk Employee
‎11-23-2017 08:40 AM

If you made any changes to saved searches in the app, check your user folder for personal copies of the app, specifically in $SPLUNK_HOME/etc/users/{user}/{app}/local/savedsearches.conf

See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfiledirectories

Also, you should see the search listed under Settings->Searches, Reports, and Alerts.

There you may be able to see the Owner and if "Sharing" is "Private" then it will be found under $SPLUNK_HOME/etc/users/...

You can also disable it from there by selecting Actions->Edit->Disable.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...