Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For Application Cleanup, what are the best practices for moving default objects back to local?

snoobzilla
Builder
‎04-19-2017 09:07 AM

During an upgrade last summer, Splunk PS (Professional Services) had our admin move all the local assets into default... which left us with a bunch of objects that we can't edit/delete. I will be leaving current company soon and looking to do a clean up before I go for my successor.

Looking for best practices for moving default back to local without overwriting local.

I am a power user and work exclusively from Splunk Web. We have a separate team of Splunk admins who manage the environment. We use search head clustering. Because we don't have access to back end we would rather just have full access to all objects in app.

Plan is to...
Get copy of app
Merge .conf file entries we wish to retain from default into local.
Similar for views = move to local
Overwrite the app on the search head captain with cleaned up copy
Restart splunk or destructive sync??? <---------------------------------------------MAIN QUESTION!!!

Thanks in advance for help/feedback.

0 Karma
Reply

darrenfuller
Contributor
‎04-19-2017 11:36 AM

Since "search-head-clustering" is one of your tags I'm gonna guess that you are...

The reason that everything is default is because you are on a SHC.

The SHC is setup with 3 or more search heads and then a Deployer node, which handles configuration management for the cluster nodes.

The way that Splunk has engineered this, to make sure that changes made in the UI on your SHs are not overwritten by confs from the deployer, is that the deployer takes default and local configs and flattens them into default (after following standard splunk config precedence rules)

As a rule of thumb, on a SHC SH default is managed by the deployer and local is managed by user activity.

So....how can you delete things? Have whomever is responsible for managing the deployer delete the configs there.

0 Karma
Reply

snoobzilla
Builder
‎04-19-2017 12:07 PM

Thanks... So based on this we should overwrite the default directory for the app on the SHC deployer with what I want to be there so the next deployment does not push the old objects back out...

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges

So something like...
Make NEW with what I want in default and local.
Put NEW default on deployer.
Put NEW local and default on SH Captain?

Do we need to restart after?

0 Karma
Reply

snoobzilla
Builder
‎04-19-2017 12:16 PM

I guess what I am not saying clearly is that I need a bunch of objects from default added back to local. How best to do that cleanly?

0 Karma
Reply

darrenfuller
Contributor
‎04-19-2017 11:28 AM

Hi. Are you on a search head cluster?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...