Dashboards & Visualizations

Splunk Deployer - Saved Searches in default

skirven
Communicator

Hi!
I've inherited an app which contains custom searches only (this isn't a Splunkbase app, but an "in house" app.) My users want to be able to delete searches, etc from the app, but they can't. I want them to be able to both manage the searches in the app without having a new deployment, and also not have a subsequent push of all apps cause searches to come back.

To fix this, can I do the following:
1) On the SH Deployer, move the searches from default/savedsearches.conf to local
2) Set app.conf to use Full Deployment
3) Push the deployment
4) Set the app back to local?

Looking at this: https://docs.splunk.com/Documentation/Splunk/8.0.2/DistSearch/PropagateSHCconfigurationchanges, I think this will work, but I want to make sure.
"Use [full deployment] mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer." - This is saying basically that it wipes out the app, and then pushes the new one, correct? Then, when I'm done, change it back to "local_only".

Am I reading that correctly? What I don't want to do is start having searches from the previous version being stored in users folders, etc.
Thanks!
Stephen

0 Karma

codebuilder
Influencer

Pushing apps to a SHC will never override the "local" files on the search heads. This is by design.
Changes made by individual users are stored in "local" and are not overwritten by the deployer. Local files always take precedence.
This ensures that the deployer does not wipe out individual changes/modifications made by the user.

Conversely, if the deployer has local files, those will be merged into "default" and pushed out to the SHC upon deployment. But still will not overwrite the local files on the search heads.

If you need/want to remove local app settings on the SHC, you can push out a empty app via the deployer, or delete the files manually.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...