- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- For Application Cleanup, what are the best practic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Application Cleanup, what are the best practices for moving default objects back to local?
During an upgrade last summer, Splunk PS (Professional Services) had our admin move all the local assets into default... which left us with a bunch of objects that we can't edit/delete. I will be leaving current company soon and looking to do a clean up before I go for my successor.
Looking for best practices for moving default back to local without overwriting local.
I am a power user and work exclusively from Splunk Web. We have a separate team of Splunk admins who manage the environment. We use search head clustering. Because we don't have access to back end we would rather just have full access to all objects in app.
Plan is to...
Get copy of app
Merge .conf file entries we wish to retain from default into local.
Similar for views = move to local
Overwrite the app on the search head captain with cleaned up copy
Restart splunk or destructive sync??? <---------------------------------------------MAIN QUESTION!!!
Thanks in advance for help/feedback.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since "search-head-clustering" is one of your tags I'm gonna guess that you are...
The reason that everything is default is because you are on a SHC.
The SHC is setup with 3 or more search heads and then a Deployer node, which handles configuration management for the cluster nodes.
The way that Splunk has engineered this, to make sure that changes made in the UI on your SHs are not overwritten by confs from the deployer, is that the deployer takes default and local configs and flattens them into default (after following standard splunk config precedence rules)
As a rule of thumb, on a SHC SH default is managed by the deployer and local is managed by user activity.
So....how can you delete things? Have whomever is responsible for managing the deployer delete the configs there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks... So based on this we should overwrite the default directory for the app on the SHC deployer with what I want to be there so the next deployment does not push the old objects back out...
http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges
So something like...
Make NEW with what I want in default and local.
Put NEW default on deployer.
Put NEW local and default on SH Captain?
Do we need to restart after?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess what I am not saying clearly is that I need a bunch of objects from default added back to local. How best to do that cleanly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Are you on a search head cluster?
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
