Deployment Architecture

Is there a way to identify all scheduled searches on a single search head and move them to a search head cluster in my dev environment?

a212830
Champion

Hi,

I'm looking to migrate off a single search-head onto SHC in my dev environment. Is there a way to 1) identify all the scheduled searches and 2) move them onto the new SHC?

0 Karma

onthebay
Path Finder

I would recommend a more structured approach:
1) Move complete search apps to your SHC
2) Disable the scheduled searches on the standalone search hed.

Details: Instead of trying to move individual searches moving by app is easier to control.

- The splunk cmd btool (from dwaddle) gives you a nice list of all apps that have scheduled searches.

- Go through each one and if you want that app's searches running on the SHC copy it to shcluster/apps on the SHC deployer.

- Once all apps have been copied do a cluster deploy
- Then go back to your standalone search head (or appropriate deployment server) and disable those searches so that they are no longer scheduled on the standalone server.

This will be easier to maintain and control.

If you continue to create apps on your standalone search head or you already have those same apps on the SHC you will need to merge the app files. I recommend winmerge for this 🙂

Cheers

dwaddle
SplunkTrust
SplunkTrust

The first half to this is not so horrible:

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 |  fields + title, eai:acl.app, eai:acl.owner

There, "identified" 🙂 The harder part is the "move". I would suggest a liberal application of things like:

splunk cmd btool --debug savedsearches list <searchname> | egrep -v "/etc/system/local/

To see where all the various pieces of your saved search is defined, and then grab the pieces from the .conf files directly and reassemble them on the other side.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...