Solved: Saved Search runs after Uninstallation of App

vr2312 · ‎11-23-2017

I installed an App from Splunkbase for Testing purposes.

The app came with Custom Searches which i had scheduled as per the testing phase.

I had uninstalled the app, however, i can still see searches run from the app though the app no longer exists.

it is not creating much of a trouble but i am wondering from where the searches are being run and how i can stop it.

vr2312 · ‎12-06-2017

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

View solution in original post

vr2312 · ‎12-06-2017

Thanks for the input @ybongart

Sorted the answer by myself.

The issue was occurring due to a Search head which was brought up which happened to be a clone. hence the server.conf/inputs.conf had the disabled searches search head server name.

ybongart_splunk · ‎11-23-2017

If you made any changes to saved searches in the app, check your user folder for personal copies of the app, specifically in $SPLUNK_HOME/etc/users/{user}/{app}/local/savedsearches.conf

See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfiledirectories

Also, you should see the search listed under Settings->Searches, Reports, and Alerts.

There you may be able to see the Owner and if "Sharing" is "Private" then it will be found under $SPLUNK_HOME/etc/users/...

You can also disable it from there by selecting Actions->Edit->Disable.

Saved Search runs after Uninstallation of App

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk