During an upgrade last summer, Splunk PS (Professional Services) had our admin move all the local assets into default... which left us with a bunch of objects that we can't edit/delete. I will be leaving current company soon and looking to do a clean up before I go for my successor.
Looking for best practices for moving default back to local without overwriting local.
I am a power user and work exclusively from Splunk Web. We have a separate team of Splunk admins who manage the environment. We use search head clustering. Because we don't have access to back end we would rather just have full access to all objects in app.
Plan is to...
Get copy of app
Merge .conf file entries we wish to retain from default into local.
Similar for views = move to local
Overwrite the app on the search head captain with cleaned up copy
Restart splunk or destructive sync??? <---------------------------------------------MAIN QUESTION!!!
Thanks in advance for help/feedback.
Since "search-head-clustering" is one of your tags I'm gonna guess that you are...
The reason that everything is default is because you are on a SHC.
The SHC is setup with 3 or more search heads and then a Deployer node, which handles configuration management for the cluster nodes.
The way that Splunk has engineered this, to make sure that changes made in the UI on your SHs are not overwritten by confs from the deployer, is that the deployer takes default and local configs and flattens them into default (after following standard splunk config precedence rules)
As a rule of thumb, on a SHC SH default is managed by the deployer and local is managed by user activity.
So....how can you delete things? Have whomever is responsible for managing the deployer delete the configs there.
Thanks... So based on this we should overwrite the default directory for the app on the SHC deployer with what I want to be there so the next deployment does not push the old objects back out...
So something like...
Make NEW with what I want in default and local.
Put NEW default on deployer.
Put NEW local and default on SH Captain?
Do we need to restart after?