Deployment Architecture

Is there a way to identify all scheduled searches on a single search head and move them to a search head cluster in my dev environment?

a212830
Champion

Hi,

I'm looking to migrate off a single search-head onto SHC in my dev environment. Is there a way to 1) identify all the scheduled searches and 2) move them onto the new SHC?

0 Karma

onthebay
Path Finder

I would recommend a more structured approach:
1) Move complete search apps to your SHC
2) Disable the scheduled searches on the standalone search hed.

Details: Instead of trying to move individual searches moving by app is easier to control.

- The splunk cmd btool (from dwaddle) gives you a nice list of all apps that have scheduled searches.

- Go through each one and if you want that app's searches running on the SHC copy it to shcluster/apps on the SHC deployer.

- Once all apps have been copied do a cluster deploy
- Then go back to your standalone search head (or appropriate deployment server) and disable those searches so that they are no longer scheduled on the standalone server.

This will be easier to maintain and control.

If you continue to create apps on your standalone search head or you already have those same apps on the SHC you will need to merge the app files. I recommend winmerge for this 🙂

Cheers

dwaddle
SplunkTrust
SplunkTrust

The first half to this is not so horrible:

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 |  fields + title, eai:acl.app, eai:acl.owner

There, "identified" 🙂 The harder part is the "move". I would suggest a liberal application of things like:

splunk cmd btool --debug savedsearches list <searchname> | egrep -v "/etc/system/local/

To see where all the various pieces of your saved search is defined, and then grab the pieces from the .conf files directly and reassemble them on the other side.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...