Knowledge Management

Is search history replicated?

a212830
Champion

Hi,

Testing out 6.4, and I noticed that the search-history feature is not replicated across SH. Is this possible?

woodcock
Esteemed Legend

This has finally been addressed in a useable way that seems to not have any downside/impact in 9.1 (search for "Preserve search history across search heads"):
https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk

Scarily enough, it appears to be enabled by default.

bloehr_splunk
Splunk Employee
Splunk Employee

The feature you are looking at:

[shclustering]
conf_replication_include.history = true

This does not work.

Per the splunk doc's:
Note: The cluster does not replicate user search history. This is reflected in the default server.conf file, which includes the line, conf_replication_include.history = false. Changing that value to "true" has no effect and does not cause the cluster to replicate search history.

Here is the link to splunk doc's:

http://docs.splunk.com/Documentation/Splunk/6.4.0/DistSearch/HowconfrepoworksinSHC

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

For SHC - by default it isnt replicated, you need to enable it in the server.conf:

 [shclustering] 
 conf_replication_include.history = true

You can refer to this answers post also : https://answers.splunk.com/answers/391876/is-there-any-way-to-get-splunk-to-replicate-search.html

jplumsdaine22
Influencer

@esix I raised a support issue for this problem for version 6.3.2 and was told

we do not recommend changing the value of conf_replication_include.history to true as this could have a significant impact on performance.

Is this still the case or has the performance impact been fixed in 6.4?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Most likely, still the case...

0 Karma

a212830
Champion

Thanks. I added this to server.conf, in my own "app" in the deployer, and pushed it out. I also noticed that the SH's restarted. I still don't see the search history replicating however.

[shclustering]
captain_is_adhoc_searchhead = true
conf_replication_include.history = true

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Check with btool on your SH instances in the SHC. Confirm that the app deployed correctly and that the server.conf is updated

splunk btool server list shclustering --debug

That will show you the applied configs and which app context they are being applied from.

0 Karma

a212830
Champion

I entered the command, and here's only line with that setting (which is my app), so I'm still not sure why this isn't working.

/apps/splunk/etc/apps/baseconfig_dev_shc_license/default/server.conf conf_replication_include.history = true

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Do you mean in SHC? Or across separate search heads?

0 Karma

a212830
Champion

Using SHC.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...