Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Moving searches from default to local to be able to manage on the cluster

skirven
Communicator
‎09-22-2020 02:49 AM

Hi! I am trying to deal with some technical debt, and I thought I had an understanding of what I needed. 😞 

Objective: I have some search artifacts inside a custom app on my Search Head Deployer that once deployed, users are unable to delete. On the Deployer, those searches were in the Default folder. I did give this what I thought was a thorough reading https://docs.splunk.com/Documentation/Splunk/7.2.10/DistSearch/PropagateSHCconfigurationchanges, but I may have missed something.

What I tried:
1) Backup the app
2) Moved the contents on the Deployer Server of shcluster/apps/app_name/default/savedsearches.conf to local/savedsearches.conf
3) I updated the local/app.conf to a "deployer_push_mode = full".

What appeared to happen: It seems that it may have merged the deployer local folder into the default on the cluster, which may make sense after another spin through the document.

What's the best approach for cleaning up this app? Should I just deploy it to  my Search Head Deployer as an app, then remove the searches I want to clean up, then redeploy to the cluster?

Thanks!
Stephen

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-22-2020 03:16 AM

I believe you are looking something similar to below thread:

https://community.splunk.com/t5/Deployment-Architecture/Savedsearches-in-search-app-migrating-to-SHC...

————————————
If this helps, give a like below.
0 Karma
Reply

skirven
Communicator
‎09-22-2020 03:21 AM

Thanks for the response. But I already have the app created on the Deployer Server. It's moving the searches inside the app to be able to manage them. I don't want to go through and have to make a new app. 😞

Thanks!
Stephen

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...