I have recently created a field extraction on one search head that I have assigned all apps and users to read and write and was wondering how long is would take for a change done in one search head to get replicated to other search heads?
Also from what I know is that changes done via the GUI are always replicated to other SHs, is this true? If so what CAN and CANNOT be replicated across other search heads via gui.
Thanks,
Regards,
These are the main types of configuration changes that the cluster replicates:
Replication operates under these constraints:
Configuration methods that trigger replication
The cluster replicates changes made through these methods:
The cluster does not replicate any configuration changes that you make manually, such as direct edits to configuration files.
The cluster uses a whitelist to determine what changes to replicate. This whitelist is configured through the set of conf_replication_include attributes in the default version of server.conf, located in $SPLUNK_HOME/etc/system/default.
You can add or remove items from that list by editing the members' server.conf files under $SPLUNK_HOME/etc/system/local. If you change the whitelist, you must make the same changes on all cluster members.
For a comprehensive list of items in the whitelist, consult the default version of server.conf. This is the approximate set of whitelisted items:
alert_actions authentication authorize datamodels event_renderers eventtypes fields html literals lookups macros manager models multikv nav panels passwd passwords props quickstart savedsearches searchbnf searchscripts segmenters tags times transforms transactiontypes ui-prefs user-prefs views viewstates workflow_actions
The cluster replicates changes to all files underlying the whitelist items. In addition to configuration files themselves, this includes dashboard and nav XML, lookup table files, data model JSON files, and so on. The cluster also replicates permissions stored in *.meta files.
These are examples of the types of files replicated for various whitelist items:
# escape-hatch HTML views conf_replication_include.html = true # lookup table files conf_replication_include.lookups = true # manager XML conf_replication_include.manager = true # datamodel JSON files conf_replication_include.models = true # nav XML conf_replication_include.nav = true # view XML conf_replication_include.views = true
Note: The cluster does not replicate user search history
Thank you very much for the detailed explanation.
These are the main types of configuration changes that the cluster replicates:
Replication operates under these constraints:
Configuration methods that trigger replication
The cluster replicates changes made through these methods:
The cluster does not replicate any configuration changes that you make manually, such as direct edits to configuration files.
The cluster uses a whitelist to determine what changes to replicate. This whitelist is configured through the set of conf_replication_include attributes in the default version of server.conf, located in $SPLUNK_HOME/etc/system/default.
You can add or remove items from that list by editing the members' server.conf files under $SPLUNK_HOME/etc/system/local. If you change the whitelist, you must make the same changes on all cluster members.
For a comprehensive list of items in the whitelist, consult the default version of server.conf. This is the approximate set of whitelisted items:
alert_actions authentication authorize datamodels event_renderers eventtypes fields html literals lookups macros manager models multikv nav panels passwd passwords props quickstart savedsearches searchbnf searchscripts segmenters tags times transforms transactiontypes ui-prefs user-prefs views viewstates workflow_actions
The cluster replicates changes to all files underlying the whitelist items. In addition to configuration files themselves, this includes dashboard and nav XML, lookup table files, data model JSON files, and so on. The cluster also replicates permissions stored in *.meta files.
These are examples of the types of files replicated for various whitelist items:
# escape-hatch HTML views conf_replication_include.html = true # lookup table files conf_replication_include.lookups = true # manager XML conf_replication_include.manager = true # datamodel JSON files conf_replication_include.models = true # nav XML conf_replication_include.nav = true # view XML conf_replication_include.views = true
Note: The cluster does not replicate user search history
Ehhh. "The cluster doesn't replicate user search history". It's true. It's also confusing because there is an option for it set by default to false but setting it to true doesn't do anything. 😆