Deployment Architecture

Is there a way to identify all scheduled searches on a single search head and move them to a search head cluster in my dev environment?

a212830
Champion

Hi,

I'm looking to migrate off a single search-head onto SHC in my dev environment. Is there a way to 1) identify all the scheduled searches and 2) move them onto the new SHC?

0 Karma

onthebay
Path Finder

I would recommend a more structured approach:
1) Move complete search apps to your SHC
2) Disable the scheduled searches on the standalone search hed.

Details: Instead of trying to move individual searches moving by app is easier to control.

- The splunk cmd btool (from dwaddle) gives you a nice list of all apps that have scheduled searches.

- Go through each one and if you want that app's searches running on the SHC copy it to shcluster/apps on the SHC deployer.

- Once all apps have been copied do a cluster deploy
- Then go back to your standalone search head (or appropriate deployment server) and disable those searches so that they are no longer scheduled on the standalone server.

This will be easier to maintain and control.

If you continue to create apps on your standalone search head or you already have those same apps on the SHC you will need to merge the app files. I recommend winmerge for this 🙂

Cheers

dwaddle
SplunkTrust
SplunkTrust

The first half to this is not so horrible:

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 |  fields + title, eai:acl.app, eai:acl.owner

There, "identified" 🙂 The harder part is the "move". I would suggest a liberal application of things like:

splunk cmd btool --debug savedsearches list <searchname> | egrep -v "/etc/system/local/

To see where all the various pieces of your saved search is defined, and then grab the pieces from the .conf files directly and reassemble them on the other side.

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...