Edit (overwrite) values in conf file in local dire...

dan_ · ‎02-06-2022

Hi,

what is the best way to edit (overwrite) values in savedsearch.conf file in local directory on SHC members using deployer?

PickleRick · ‎02-06-2022

What do you mean by "in local directory"?

See https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/PropagateSHCconfigurationchanges#What_...

And

https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/PropagateSHCconfigurationchanges#Choos...

dan_ · ‎02-06-2022

Let me explain with scenario.

I have below savedsearch.conf file on SHC member's directory /splunk/etc/apps/my_apps/local/

savedsearch.conf

[sample_stanza]

x = sample_value

I want to edit(overwrite) the file as below.

savedsearch.conf

[sample_stanza]

x = new_value

If I edit savedsearch.conf file in /splunk/etc/shcluster/apps/my_apps/local/ on deployer and push it to SHC members as local_only mode, it will not change the value of x to new value since the existing config has precidence. So in this case how can I overwirte the value of x = new_value in SHC members using deployer ?

PickleRick · ‎02-06-2022

It seems that it's not possible with the deployer. All deployment options which touch the local config explicitly state that "the existing configuration on the member takes precedence". It makes sense - If you give some user permissions to edit some app's configuration (be it saved search, lookups, dashboards, whatever), why would you want to overwrite it, possibly destroying consistency if you delete some objects on which other objects rely?

Edit (overwrite) values in conf file in local directory on SHC members using deployer

search head

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms