Reporting

Creating reports in one SHC member will cause issue to other SHC members?

maniu1609
Path Finder

Hi All,
We have three search heads members. Now I'm creating a report for an custom app from a SHC member. So it created a local directory for that app in that SHC member. and the changes are also replicated to all other SHC. Now I'm afraid of the changes I made.
Since it created local directory, Content in default directory will get affected?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @maniu1609,

When you create any knowledge objects in splunk search head it always stores in local directory. This is to prevent default settings and when you upgrade any application it will not overwrite your knowledge objects config which you have created from Splunk Web.

Now in splunk local directory has higher precedence then default directory. Let's understand with example, let's say you have one scheduled search test_search and in default directory savedsearches.conf contains index=abc | table host,sourcetype. Now you will change this schedule search from Splunk Web and you will change query to index=abc | stats count by host this sconfiguration will store in local directory of app so in future when this schedule search will run it will run index=abc | stats count by host from local directory not default because local directory has higher precedence than default directory.

If you want to keep your configuration in default directory on all SHC member due to process/requirement then you need to add configuration in your app on Deployer and you need to push bundle from Deployer to all SHC members everytime.

I hope this helps.

Thanks,
Harshil

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @maniu1609,

When you create any knowledge objects in splunk search head it always stores in local directory. This is to prevent default settings and when you upgrade any application it will not overwrite your knowledge objects config which you have created from Splunk Web.

Now in splunk local directory has higher precedence then default directory. Let's understand with example, let's say you have one scheduled search test_search and in default directory savedsearches.conf contains index=abc | table host,sourcetype. Now you will change this schedule search from Splunk Web and you will change query to index=abc | stats count by host this sconfiguration will store in local directory of app so in future when this schedule search will run it will run index=abc | stats count by host from local directory not default because local directory has higher precedence than default directory.

If you want to keep your configuration in default directory on all SHC member due to process/requirement then you need to add configuration in your app on Deployer and you need to push bundle from Deployer to all SHC members everytime.

I hope this helps.

Thanks,
Harshil

hardikJsheth
Motivator

All the changes that you do to the dashboards on search head will automatically get replicated to others search head nodes in your search head cluster.

You can refer following docs for further information.
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwjVt6Di6PTXAhULVbwKHaTLA...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...