Deployment Architecture

Is it best practice to migrate eventtypes to the Search app with or without the search head cluster deployer?

pattokt
Explorer

Is it best practice to copy the /search/local directory to the new search head cluster members and not use the deployer? I used a deployer to set up LDAP, but per documentation, it says not to do the same for the search application.

Per Documentation:

The types of updates that the deployer handles
These are the specific types of updates that require the deployer:

  • New or upgraded apps.
  • Configuration files that you edit directly.
  • All non-search-related updates, even those that can be configured through the CLI or Splunk Web, such as updates to indexes.conf or inputs.conf.
  • Settings that need to be migrated from a search head pool or a standalone search head. These can be app or user settings.
0 Karma
1 Solution

lguinn2
Legend

Do not use the Deployer to update the apps that come with Splunk: search, launcher, etc. Here is an answer that should help, along with a link to the documentation

Migrate from a standalone searchheads

Migrating separate environments to SHC

I guess that you could do this manually, without the deployer, but it would be hard and error-prone. IMO, the method described in the doc/answer will work better.

View solution in original post

lguinn2
Legend

Do not use the Deployer to update the apps that come with Splunk: search, launcher, etc. Here is an answer that should help, along with a link to the documentation

Migrate from a standalone searchheads

Migrating separate environments to SHC

I guess that you could do this manually, without the deployer, but it would be hard and error-prone. IMO, the method described in the doc/answer will work better.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...