Deployment Architecture

How can I migrate users' existing knowledge objects within their own user directories to a search head cluster so they can delete them via the gui?


I've encountered an issue when migrating from a search head pool to a cluster. Users are unable to delete their own objects (savedsearches/macros/dashboards etc).

This is due to how I deployed them originally using the deployer. As such I need to manually delete them from the deployer and then apply that bundle to the cluster to remove them.

As I am doing another migration I would like to know the best way to move the users' objects across so I don't get stuck like this again.

So my question is, how can I initially migrate users knowledge objects contained within their own user dirs into a search head cluster so that they have the ability to delete their own objects like they did before?

0 Karma


This was the advice I'd gotten and implemented to move into a search head cluster. In my case it was standalone to cluster but these steps should still accomplish what you're looking for.

  1. Put only the default directories of the apps from your old environment on the deployer. Make sure you do not inadvertently put the search app on the deployer, trust me when I say the results are not pretty if you do and that gets pushed.
  2. Push the bundle from your deployer.
  3. Copy the users directory and the local directories of the apps to each search head cluster members. This way, since they're not defined on the deployer, users will be able to delete them and fully manage their own objects.
  4. Do a rolling restart to apply those local and user updates.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...