Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Deploy an app using deployment server and make sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an "app" that I deploy with my 4.x deployment server. It sends savedsearches.conf, tags.conf, props.conf, eventtypes.conf and transforms.conf to my distributed indexers globally (I have 4 indexers - US, EMEA, Asia and Latin America). This ensures when I run a distributed search that I have appropriate tags, etc. in place on all indexers.
In the 3.x world these configs pushed without issue. In 4.x I get the configuration to the boxes but the savedsearches, eventtypes, etc for example are not globally available. Can I define the deployment-app in such a way as to make all objects accessible in all apps. Basically want them to behave as if they were created in the search app.
I have all my *.conf files in /opt/splunk/etc/deployment-apps/discovery_indexer/default on the deployment server and this ends up in /opt/splunk/etc/apps/discovery_indexer/default on my indexers.
I saw reference to configuring local.meta on this page http://www.splunk.com/base/Documentation/4.0.10/Admin/Apparchitectureandobjectownership but I wasn't sure if this applied to apps delivered via deployment manager or not and also I couldn't find any detailed syntax on local.meta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want everything globally available, simply put this in your local.meta file:
[] export = system
I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.
If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:
[savedsearches] access = read : [ * ], write : [ admin ] owner = nobody export = system [tags] access = read : [ * ], write : [ admin ] owner = nobody export = system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want everything globally available, simply put this in your local.meta file:
[] export = system
I found this trick in one of splunk's apps and just copied it. It's the simplest way to go back to the old 3.x style, everything-is-global approach.
If you want to to be more explict, or have more fine-grained control, you can make just certain types of objects globally available. For example, you can enable access to tags and saved searches like this:
[savedsearches] access = read : [ * ], write : [ admin ] owner = nobody export = system [tags] access = read : [ * ], write : [ admin ] owner = nobody export = system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went with your first suggestion and it worked like a charm. Thanks for throwing in the more detailed syntax as well.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
