Dashboards & Visualizations

Splunk Deployer - Saved Searches in default

skirven
Communicator

Hi!
I've inherited an app which contains custom searches only (this isn't a Splunkbase app, but an "in house" app.) My users want to be able to delete searches, etc from the app, but they can't. I want them to be able to both manage the searches in the app without having a new deployment, and also not have a subsequent push of all apps cause searches to come back.

To fix this, can I do the following:
1) On the SH Deployer, move the searches from default/savedsearches.conf to local
2) Set app.conf to use Full Deployment
3) Push the deployment
4) Set the app back to local?

Looking at this: https://docs.splunk.com/Documentation/Splunk/8.0.2/DistSearch/PropagateSHCconfigurationchanges, I think this will work, but I want to make sure.
"Use [full deployment] mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer." - This is saying basically that it wipes out the app, and then pushes the new one, correct? Then, when I'm done, change it back to "local_only".

Am I reading that correctly? What I don't want to do is start having searches from the previous version being stored in users folders, etc.
Thanks!
Stephen

0 Karma

codebuilder
Influencer

Pushing apps to a SHC will never override the "local" files on the search heads. This is by design.
Changes made by individual users are stored in "local" and are not overwritten by the deployer. Local files always take precedence.
This ensures that the deployer does not wipe out individual changes/modifications made by the user.

Conversely, if the deployer has local files, those will be merged into "default" and pushed out to the SHC upon deployment. But still will not overwrite the local files on the search heads.

If you need/want to remove local app settings on the SHC, you can push out a empty app via the deployer, or delete the files manually.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...