Deployment Architecture

Saved search changes in search head cluster don't persist.

t183194
Explorer

We have some scheduled saved searches that we migrated from a stand-alone SH to a SHC via a deployer. When we try and edit a search (in this case the edit is removing an email address), then save the change, the change doesn't persist. Is this because the edit is removing something and so savedsearches.conf in /local is not being updated?
We can create a new search and edit it ok, it's just the searches that were deployed that are the issue. Would like to know if this is expected functionality or a bug.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Are you saying you have moved searches from the local search head (previously a single instance) to a deployer and pushed them to a search head cluster?

In this case searches pushed by the deployer cannot be deleted on the search head cluster, I'm unsure why editing does not work in your scenario but my solution was to clone any searches pushed by the deployer so they existed locally on the search head and to stop them from been pushed by the deployer itself. This was a pain but something that had to be fixed eventually...

Just to confirm, when you edit the search your saying the local/savedsearches.conf doesn't get created if it was pushed by the deployer?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, so this link describes what is happening

https://answers.splunk.com/answers/121808/how-to-ensure-upgrade-of-saved-search-which-was-modified-b...

This link describes where to put the modified saved search so that it will be propagated correctly. See the section under "Where to place the configuration bundle on the deployer"

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Where, precisely, are you editing the search? It is not likely to be the type of change that you are making, it is likely to be where you are making the change.

You need to edit it and deploy the update, not edit it on any SH. Otherwise, the deployer will just have to overwrite that pesky search that is getting out of sync with its master.

0 Karma

t183194
Explorer

The change being made is via Splunk web. In this sceanrio the user is trying to remove an email address that was part of the deployed saved search. Hope this makes it clear.

0 Karma

t183194
Explorer

PS, we are using Splunk Enterprise 6.5.2

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...