which deployer push mode is best or rather, what are the benefits of not going with the default 'merge_to_default'? just trying to understand what the community does in SHC because we usually use the default first time round (new app) and from there, revert to 'local_only' mode..
There is a good section that discusses each push mode on Splunk Docs. Refer to Choose a deployer push mode section of the Use the deployer to distribute apps and configuration updates page.
Here is a short summary of each of the push mode use cases:
full
Use this mode to push app configurations to both /local and /default app directories on the members. For example, if you have a saved search that exists only in /local on the members, pushing the /local and /default app configurations to their respective directories on the members maintains the saved search configuration, and lets you subsequently delete the saved search on the members using Splunk Web.
Use this mode to migrate apps from a single search head to a new search head cluster. This retains the exact /local and /default directory configurations as they appear on the original search head.
Use this mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer.
local_only
Use this mode to modify only those apps that already exist on the members.
Use this mode to modify the /local configuration for a built-in app, such as the Search app.
default_only
Use this mode if you want to explicitly abandon changes made in an app's /local directory. For example, if an app on the deployer has pre-existing configurations in the /local directory, and you delete those configurations on the members, using default_only mode prevents those configurations from re-appearing on the next deployer push.
merge_to_default
Use this mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer.
There is a good section that discusses each push mode on Splunk Docs. Refer to Choose a deployer push mode section of the Use the deployer to distribute apps and configuration updates page.
Here is a short summary of each of the push mode use cases:
full
Use this mode to push app configurations to both /local and /default app directories on the members. For example, if you have a saved search that exists only in /local on the members, pushing the /local and /default app configurations to their respective directories on the members maintains the saved search configuration, and lets you subsequently delete the saved search on the members using Splunk Web.
Use this mode to migrate apps from a single search head to a new search head cluster. This retains the exact /local and /default directory configurations as they appear on the original search head.
Use this mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer.
local_only
Use this mode to modify only those apps that already exist on the members.
Use this mode to modify the /local configuration for a built-in app, such as the Search app.
default_only
Use this mode if you want to explicitly abandon changes made in an app's /local directory. For example, if an app on the deployer has pre-existing configurations in the /local directory, and you delete those configurations on the members, using default_only mode prevents those configurations from re-appearing on the next deployer push.
merge_to_default
Use this mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer.