Deployment Architecture

Saved search changes in search head cluster don't persist.

t183194
Explorer

We have some scheduled saved searches that we migrated from a stand-alone SH to a SHC via a deployer. When we try and edit a search (in this case the edit is removing an email address), then save the change, the change doesn't persist. Is this because the edit is removing something and so savedsearches.conf in /local is not being updated?
We can create a new search and edit it ok, it's just the searches that were deployed that are the issue. Would like to know if this is expected functionality or a bug.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Are you saying you have moved searches from the local search head (previously a single instance) to a deployer and pushed them to a search head cluster?

In this case searches pushed by the deployer cannot be deleted on the search head cluster, I'm unsure why editing does not work in your scenario but my solution was to clone any searches pushed by the deployer so they existed locally on the search head and to stop them from been pushed by the deployer itself. This was a pain but something that had to be fixed eventually...

Just to confirm, when you edit the search your saying the local/savedsearches.conf doesn't get created if it was pushed by the deployer?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, so this link describes what is happening

https://answers.splunk.com/answers/121808/how-to-ensure-upgrade-of-saved-search-which-was-modified-b...

This link describes where to put the modified saved search so that it will be propagated correctly. See the section under "Where to place the configuration bundle on the deployer"

http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Where, precisely, are you editing the search? It is not likely to be the type of change that you are making, it is likely to be where you are making the change.

You need to edit it and deploy the update, not edit it on any SH. Otherwise, the deployer will just have to overwrite that pesky search that is getting out of sync with its master.

0 Karma

t183194
Explorer

The change being made is via Splunk web. In this sceanrio the user is trying to remove an email address that was part of the deployed saved search. Hope this makes it clear.

0 Karma

t183194
Explorer

PS, we are using Splunk Enterprise 6.5.2

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...