If you're on Unix, the easiest way is to do a search
#/opt/splunk/etc/: egrep -R MySearchName .
./users/jsmith/launcher/local/savedsearches.conf:[MySearchName]
If you're on Windows.. well, frankly I'd download unxutils and do the same.
Or you can look manually! Here are some good places:
- /opt/splunk/etc/system/local -- The appropriate place for most server-wide configuration
- /opt/splunk/etc/apps/search/local -- Where things get stuck if you add them while in the search app
- /opt/splunk/etc/apps/launcher/local -- Where things get stuck if you add them while in the launcher app
- /opt/splunk/etc/apps/YourAppName/local -- Where things get stuck if you add them while in your own custom app
- /opt/splunk/etc/users/YourUsername/search/local -- Same as above, but for private searches belonging to just the user
- /opt/splunk/etc/users/YourUsername/launcher/local -- Same as above, but for private searches belonging to just the user
- /opt/splunk/etc/users/YourUsername/YourAppName/local -- Same as above, but for private searches belonging to just the user
- /opt/splunk/etc/system -- The place for a very few pieces of server-wide configuration
It's easy for this to become a complete mess. I highly recommend creating a standard method for modifying your files. Personally, I make all of my app-specific changes in /opt/splunk/etc/apps/MyApp/default via the file system directly (then hit the refresh endpoint at http://YourServer:8000/en-US/debug/refresh). That allows other admins to make changes if they desire. While it confuses things if they make changes through the UI and it no longer loads my default, it doesn't risk overwriting my own version. For system changes, I put them all in /opt/splunk/etc/system/local (except for those that need to be in just /system).
This is also a great time to mention the Splunk doc on config file inheritance.
Did I miss any?