Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Deployer - Saved Searches in default

skirven
Communicator
‎02-26-2020 04:42 AM

Hi!
I've inherited an app which contains custom searches only (this isn't a Splunkbase app, but an "in house" app.) My users want to be able to delete searches, etc from the app, but they can't. I want them to be able to both manage the searches in the app without having a new deployment, and also not have a subsequent push of all apps cause searches to come back.

To fix this, can I do the following:
1) On the SH Deployer, move the searches from default/savedsearches.conf to local
2) Set app.conf to use Full Deployment
3) Push the deployment
4) Set the app back to local?

Looking at this: https://docs.splunk.com/Documentation/Splunk/8.0.2/DistSearch/PropagateSHCconfigurationchanges, I think this will work, but I want to make sure.
"Use [full deployment] mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer." - This is saying basically that it wipes out the app, and then pushes the new one, correct? Then, when I'm done, change it back to "local_only".

Am I reading that correctly? What I don't want to do is start having searches from the previous version being stored in users folders, etc.
Thanks!
Stephen

0 Karma
Reply

codebuilder
Influencer
‎03-16-2020 05:08 PM

Pushing apps to a SHC will never override the "local" files on the search heads. This is by design.
Changes made by individual users are stored in "local" and are not overwritten by the deployer. Local files always take precedence.
This ensures that the deployer does not wipe out individual changes/modifications made by the user.

Conversely, if the deployer has local files, those will be merged into "default" and pushed out to the SHC upon deployment. But still will not overwrite the local files on the search heads.

If you need/want to remove local app settings on the SHC, you can push out a empty app via the deployer, or delete the files manually.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...