Deployment Architecture

Is there a way to identify all scheduled searches on a single search head and move them to a search head cluster in my dev environment?

a212830
Champion

Hi,

I'm looking to migrate off a single search-head onto SHC in my dev environment. Is there a way to 1) identify all the scheduled searches and 2) move them onto the new SHC?

0 Karma

onthebay
Path Finder

I would recommend a more structured approach:
1) Move complete search apps to your SHC
2) Disable the scheduled searches on the standalone search hed.

Details: Instead of trying to move individual searches moving by app is easier to control.

- The splunk cmd btool (from dwaddle) gives you a nice list of all apps that have scheduled searches.

- Go through each one and if you want that app's searches running on the SHC copy it to shcluster/apps on the SHC deployer.

- Once all apps have been copied do a cluster deploy
- Then go back to your standalone search head (or appropriate deployment server) and disable those searches so that they are no longer scheduled on the standalone server.

This will be easier to maintain and control.

If you continue to create apps on your standalone search head or you already have those same apps on the SHC you will need to merge the app files. I recommend winmerge for this 🙂

Cheers

dwaddle
SplunkTrust
SplunkTrust

The first half to this is not so horrible:

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 |  fields + title, eai:acl.app, eai:acl.owner

There, "identified" 🙂 The harder part is the "move". I would suggest a liberal application of things like:

splunk cmd btool --debug savedsearches list <searchname> | egrep -v "/etc/system/local/

To see where all the various pieces of your saved search is defined, and then grab the pieces from the .conf files directly and reassemble them on the other side.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...