Hi! I am looking to try to standardize my configuration across my Search Head Cluster. I have 15 Search Heads, and what I am looking to to is move my etc/system/local configs to a searchhead app (let's call it etc/apps/searchhead).
Looking at my files, most of them should be fine, but I was wondering about the syntax for the distsearch.conf lookups. What I have now is like: lkp1 = apps/idm_search/lookups/lkpInterceptAttempt.csv
Would that same path find the file when the file is in /opt/splunk/etc/apps/searchhead/distsearch.conf? Or do I have to be more explicit about it's location?
Bump. Also, I've been researching this, and it looks like it's best practice just to put it in $SPLUNK_HOME/etc/system/local? What's the best practice to keep that up to date? I was hoping to be able to have all of the configurations pushed from the deployer once it's been connected?