This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Apps are commonly built out of Splunk knowledge. Splunk knowledge is things like saved searches, event types, tags--items that enrich your Splunk data and make it easier to find what you need. In Splunk, these knowledge items are also known as objects.
Any user logged into Splunk Web can create and save these objects to his/her user directory under the App he or she is "in" (assuming they have sufficient permissions). This is the default behavior--any time any user saves an object, it goes into that user's directory for that App.
The user directory is located at: $SPLUNK_HOME/etc/users/<user_name>/<App_name>/local. Once the user has saved the object for that App, it is available to that user only when they are in that App, unless they do one of the following things (and have the correct permissions to do so):
Users can then share their Splunk knowledge objects with other users through the Permissions dialog. This means users who have read permissions in an App can see the shared objects and use them. For example, if a user shares a saved search, other users can see that saved search, but only within the App in which the search was originally created. So if you create a saved search in App Fflanda, then share it, other users of App Fflanda can see your saved search if they have read permissions for app Fflanda as well.
Some users can have permissions to promote their objects to the App level. This means the objects are actually copied from their user directory to that App's directory:
from:
$SPLUNK_HOME/etc/users/<user_name>/<App_name>/local/
to:
$SPLUNK_HOME/etc/apps/<App_name>/local/
Users can only do this if they have write permission in the App.
Finally, upon promotion, users can decide if they want their object to be available globally, meaning all Apps are able to see it. Again, the user must have permission to write to the original App. It's easiest to do this from within Manager, but you can also do it later by moving the relevant object into the desired directory.
To move an object A in <something>.conf from user C in App D: Move the stanza defining A from config file B in
$SPLUNK_HOME/etc/users/C/D/<something>.conf
to
$SPLUNK_HOME/etc/apps/D/local/<something>.conf
For example, to promote an event type called rhallen created by a user named fflanda in the *Nix App so that it is globally available:
Move the [rhallen] stanza from $SPLUNK_HOME/etc/users/fflanda/unix/eventtypes.conf
to
$SPLUNK_HOME/etc/users/fflanda/unix/eventtypes.conf
The objects discussed here are limited to those that are subject to access control. These objects also known as App-level objects and can be set in the App Configuration tab of Splunk Manager. This page is available to all users to manage any objects they have created and shared.
Includes:
Objects that are at the system level are managed through Manager and are only available to users with admin privileges (or those with permissions to read/write to the objects shown there).
Includes:
Important: If you add an input, Splunk adds that input to a copy of inputs.conf that belongs to the App you're in when you add that input. This means that if you navigated to Splunk Manager, directly from the launcher your input will be added to $SPLUNK_HOME/etc/apps/launcher/local/inputs.conf.
When you add knowledge to Splunk, it's added in the context of the App you're in when you add it. When Splunk is evaluating configurations and knowledge, it evaluates them in a specific order of precedence, so that you can control what knowledge definitions and configurations are used in what context. Refer to About configuration files for more information about the configuration files Splunk uses and the order of precedence.