Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Saved search changes in search head cluster don't persist.

t183194
Explorer
‎05-01-2017 10:12 PM

We have some scheduled saved searches that we migrated from a stand-alone SH to a SHC via a deployer. When we try and edit a search (in this case the edit is removing an email address), then save the change, the change doesn't persist. Is this because the edit is removing something and so savedsearches.conf in /local is not being updated?
We can create a new search and edit it ok, it's just the searches that were deployed that are the issue. Would like to know if this is expected functionality or a bug.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎05-04-2017 04:41 PM

Are you saying you have moved searches from the local search head (previously a single instance) to a deployer and pushed them to a search head cluster?

In this case searches pushed by the deployer cannot be deleted on the search head cluster, I'm unsure why editing does not work in your scenario but my solution was to clone any searches pushed by the deployer so they existed locally on the search head and to stop them from been pushed by the deployer itself. This was a pain but something that had to be fixed eventually...

Just to confirm, when you edit the search your saying the local/savedsearches.conf doesn't get created if it was pushed by the deployer?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

DalJeanis
Legend
‎05-03-2017 04:15 PM

Okay, so this link describes what is happening

https://answers.splunk.com/answers/121808/how-to-ensure-upgrade-of-saved-search-which-was-modified-b...

This link describes where to put the modified saved search so that it will be propagated correctly. See the section under "Where to place the configuration bundle on the deployer"

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges

0 Karma
Reply

DalJeanis
Legend
‎05-02-2017 09:13 AM

Where, precisely, are you editing the search? It is not likely to be the type of change that you are making, it is likely to be where you are making the change.

You need to edit it and deploy the update, not edit it on any SH. Otherwise, the deployer will just have to overwrite that pesky search that is getting out of sync with its master.

0 Karma
Reply

t183194
Explorer
‎05-02-2017 02:01 PM

The change being made is via Splunk web. In this sceanrio the user is trying to remove an email address that was part of the deployed saved search. Hope this makes it clear.

0 Karma
Reply

t183194
Explorer
‎05-02-2017 02:42 PM

PS, we are using Splunk Enterprise 6.5.2

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...