I've inherited an app which contains custom searches only (this isn't a Splunkbase app, but an "in house" app.) My users want to be able to delete searches, etc from the app, but they can't. I want them to be able to both manage the searches in the app without having a new deployment, and also not have a subsequent push of all apps cause searches to come back.
To fix this, can I do the following:
1) On the SH Deployer, move the searches from default/savedsearches.conf to local
2) Set app.conf to use Full Deployment
3) Push the deployment
4) Set the app back to local?
Looking at this: https://docs.splunk.com/Documentation/Splunk/8.0.2/DistSearch/PropagateSHCconfigurationchanges, I think this will work, but I want to make sure.
"Use [full deployment] mode if you have a configuration on the deployer in the app's /local directory, and you want to push it to the members and then delete it from the deployer." - This is saying basically that it wipes out the app, and then pushes the new one, correct? Then, when I'm done, change it back to "local_only".
Am I reading that correctly? What I don't want to do is start having searches from the previous version being stored in users folders, etc.
Pushing apps to a SHC will never override the "local" files on the search heads. This is by design.
Changes made by individual users are stored in "local" and are not overwritten by the deployer. Local files always take precedence.
This ensures that the deployer does not wipe out individual changes/modifications made by the user.
Conversely, if the deployer has local files, those will be merged into "default" and pushed out to the SHC upon deployment. But still will not overwrite the local files on the search heads.
If you need/want to remove local app settings on the SHC, you can push out a empty app via the deployer, or delete the files manually.
---- An upvote would be appreciated and Accept Solution if it helps!