Dashboards & Visualizations

Splunk Deployer - Saved Searches in default

skirven
Communicator

Hi!
I've inherited an app which contains custom searches only (this isn't a Splunkbase app, but an "in house" app.) My users want to be able to delete searches, etc from the app, but they can't. I want them to be able to both manage the searches in the app without having a new deployment, and also not have a subsequent push of all apps cause searches to come back.

To fix this, can I do the following:
1) On the SH Deployer, move the searches from default/savedsearches.conf to local
2) Set app.conf to use Full Deployment
3) Push the deployment
4) Set the app back to local?

Looking at this: https://docs.splunk.com/Documentation/Splunk/8.0.2/DistSearch/PropagateSHCconfigurationchanges, I think this will work, but I want to make sure.
"Use [full deployment] mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer." - This is saying basically that it wipes out the app, and then pushes the new one, correct? Then, when I'm done, change it back to "local_only".

Am I reading that correctly? What I don't want to do is start having searches from the previous version being stored in users folders, etc.
Thanks!
Stephen

0 Karma

codebuilder
Influencer

Pushing apps to a SHC will never override the "local" files on the search heads. This is by design.
Changes made by individual users are stored in "local" and are not overwritten by the deployer. Local files always take precedence.
This ensures that the deployer does not wipe out individual changes/modifications made by the user.

Conversely, if the deployer has local files, those will be merged into "default" and pushed out to the SHC upon deployment. But still will not overwrite the local files on the search heads.

If you need/want to remove local app settings on the SHC, you can push out a empty app via the deployer, or delete the files manually.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...