Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Creating reports in one SHC member will cause issu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We have three search heads members. Now I'm creating a report for an custom app from a SHC member. So it created a local directory for that app in that SHC member. and the changes are also replicated to all other SHC. Now I'm afraid of the changes I made.
Since it created local directory, Content in default directory will get affected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @maniu1609,
When you create any knowledge objects in splunk search head it always stores in local directory. This is to prevent default settings and when you upgrade any application it will not overwrite your knowledge objects config which you have created from Splunk Web.
Now in splunk local directory has higher precedence then default directory. Let's understand with example, let's say you have one scheduled search test_search and in default directory savedsearches.conf contains index=abc | table host,sourcetype. Now you will change this schedule search from Splunk Web and you will change query to index=abc | stats count by host this sconfiguration will store in local directory of app so in future when this schedule search will run it will run index=abc | stats count by host from local directory not default because local directory has higher precedence than default directory.
If you want to keep your configuration in default directory on all SHC member due to process/requirement then you need to add configuration in your app on Deployer and you need to push bundle from Deployer to all SHC members everytime.
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @maniu1609,
When you create any knowledge objects in splunk search head it always stores in local directory. This is to prevent default settings and when you upgrade any application it will not overwrite your knowledge objects config which you have created from Splunk Web.
Now in splunk local directory has higher precedence then default directory. Let's understand with example, let's say you have one scheduled search test_search and in default directory savedsearches.conf contains index=abc | table host,sourcetype. Now you will change this schedule search from Splunk Web and you will change query to index=abc | stats count by host this sconfiguration will store in local directory of app so in future when this schedule search will run it will run index=abc | stats count by host from local directory not default because local directory has higher precedence than default directory.
If you want to keep your configuration in default directory on all SHC member due to process/requirement then you need to add configuration in your app on Deployer and you need to push bundle from Deployer to all SHC members everytime.
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the changes that you do to the dashboards on search head will automatically get replicated to others search head nodes in your search head cluster.
You can refer following docs for further information.
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwjVt6Di6PTXAhULVbwKHaTLA...
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
