Hi,
Testing out 6.4, and I noticed that the search-history feature is not replicated across SH. Is this possible?
This has finally been addressed in a useable way that seems to not have any downside/impact in 9.1 (search for "Preserve search history across search heads"):
https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk
Scarily enough, it appears to be enabled by default.
The feature you are looking at:
[shclustering]
conf_replication_include.history = true
This does not work.
Per the splunk doc's:
Note: The cluster does not replicate user search history. This is reflected in the default server.conf file, which includes the line, conf_replication_include.history = false. Changing that value to "true" has no effect and does not cause the cluster to replicate search history.
Here is the link to splunk doc's:
http://docs.splunk.com/Documentation/Splunk/6.4.0/DistSearch/HowconfrepoworksinSHC
For SHC - by default it isnt replicated, you need to enable it in the server.conf:
[shclustering]
conf_replication_include.history = true
You can refer to this answers post also : https://answers.splunk.com/answers/391876/is-there-any-way-to-get-splunk-to-replicate-search.html
@esix I raised a support issue for this problem for version 6.3.2 and was told
we do not recommend changing the value of conf_replication_include.history to true as this could have a significant impact on performance.
Is this still the case or has the performance impact been fixed in 6.4?
Most likely, still the case...
Thanks. I added this to server.conf, in my own "app" in the deployer, and pushed it out. I also noticed that the SH's restarted. I still don't see the search history replicating however.
[shclustering]
captain_is_adhoc_searchhead = true
conf_replication_include.history = true
Check with btool on your SH instances in the SHC. Confirm that the app deployed correctly and that the server.conf is updated
splunk btool server list shclustering --debug
That will show you the applied configs and which app context they are being applied from.
I entered the command, and here's only line with that setting (which is my app), so I'm still not sure why this isn't working.
/apps/splunk/etc/apps/baseconfig_dev_shc_license/default/server.conf conf_replication_include.history = true
Do you mean in SHC? Or across separate search heads?
Using SHC.