Deployment Architecture

What is the best way to handle deploying saved searches to multiple search heads?

ss250858
Observer

Currently I have 4 search heads and 1 deployment server. The search heads are not clustered. I am not able to find anything describing how to best handle deployment of saved searches. The searches only need to run on 1 search head not all 4. The only process i can come up with is create the searches on the deployment server and disable them. Deploy them and then enable on 1 of the search heads but that could result in a redeployment of the searches as disabled.

Am I missing anything that would allow me to deploy these searches with only having them enabled on one search head or do i need to look into clustering the search heads to accomplish this?

Thanks

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Why not deploy the search only to one of the search heads?

(If you saved search is mixed in with an app that has other stuff in it, you'll want to move it to its own app.)

Following the "User forwarder management to create server classes" documentation, do step 1 as shown. For step 2 use the app that has the saved search. Then for step 3, pick the one SH you'd like these to run on. Deploy. Profit!

Happy Splunking!

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

A search head cluster would help you with this use-case (you would need a SHC Deployer instance which will deploy apps to Search Heads in SHC). Are all those 4 search head catering same set of users? Are they all Standalone? With clustering they'll have same set of configurations/user artifacts (SHC will handle scheduling so that only one instance is run) , would that be OK/desirable?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Why not deploy the search only to one of the search heads?

(If you saved search is mixed in with an app that has other stuff in it, you'll want to move it to its own app.)

Following the "User forwarder management to create server classes" documentation, do step 1 as shown. For step 2 use the app that has the saved search. Then for step 3, pick the one SH you'd like these to run on. Deploy. Profit!

Happy Splunking!

0 Karma

ss250858
Observer

That is an option. There already is an app that is deployed to all search heads that has the dashboards and other configs and that is where the savedsearches.conf currently is.

Thanks for the reply.

0 Karma

Richfez
SplunkTrust
SplunkTrust

ss250858,

If this resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

If you went another route, feel free to write up your own answer and mark that as accepted!

Happy Splunking,
Rich

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...