Splunk Search

Searches not being scheduled on Search Head Cluster when created locally in an application

splunkto
Explorer

In order to organised things on a search head cluster for various teams/permissions we've been setting up applications on the deployment server with permissions. The idea is that teams would have permissions to deploy searches and evaluations into their own team applications to keep things organised and separated from other teams (or core apps we deploy). One thing we've run into is that if a search is pushed by the deployment server, you can modify it, schedule it, and it runs fine. You can not delete it.

If you create a NEW scheduled search in the application from one of the search heads, you can run the search manually but if you save it the date of the next scheduled execution is displayed for about 10 seconds, then set to 'none'. Regardless of what we change the search to it never automatically executes.

Does anyone have an idea of what we might be doing wrong?

Edit: I just tested the search app, and the result is the same. So any scheduled jobs not provided by the deployer to the cluster are never scheduled.

Tags (1)
0 Karma
1 Solution

splunkto
Explorer

Alright I'm answering my own question because I solved it, and in case someone has the same issue hopefully this will save some pain.

When porting over searches from a stand-alone search head to the deployer app on one of the searches (the first one) the stanza name was excluded when pasting the configs. This lead the content to be moved to the default stanza, and this was causing issues with new searches created on the cluster (I think enableSched = 1 was the culprit setting). As soon as I added the appropriate stanza header the problem was resolved.

View solution in original post

splunkto
Explorer

Alright I'm answering my own question because I solved it, and in case someone has the same issue hopefully this will save some pain.

When porting over searches from a stand-alone search head to the deployer app on one of the searches (the first one) the stanza name was excluded when pasting the configs. This lead the content to be moved to the default stanza, and this was causing issues with new searches created on the cluster (I think enableSched = 1 was the culprit setting). As soon as I added the appropriate stanza header the problem was resolved.

somesoni2
SplunkTrust
SplunkTrust

Good catch.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The sharing permission on the NEW scheduled search would be private, can you try to change it to 'This app' and see if it retains the schedule?

0 Karma

splunkto
Explorer

We've tried that and all apps, and it still doesn't work.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi splunkto,
if you have a Search Head Cluster, you cannot use Deployment Server to deploy Apps on SHs (see http://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/PropagateSHCconfigurationchanges).

"You must use the deployer, not the deployment server, to distribute apps to cluster members. Use of the deployer eliminates the possibility of conflict with the run-time updates that the cluster replicates automatically by means of the mechanism described in Configuration updates that the cluster replicates."

Bye.
Giuseppe

0 Karma

splunkto
Explorer

I suppose I should have said Deployer Server (the terminology is really bad for these). I am using the proper deployer server to push apps to the cluster as documented.

Thank you for pointing that out though just in case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...