A search head cluster is a group of Splunk Enterprise search heads that share configurations, job scheduling, and search artifacts1. The deployer is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members1. The local folder of each Splunk app contains the custom configurations that override the default settings2. The default folder of each Splunk app contains the default configurations that are provided by the app2.
By default, when the deployer pushes an app to the search head cluster, it merges the local folder of the app into the default folder and deploys the merged folder to the search heads3. This means that the custom configurations in the local folder will take precedence over the default settings in the default folder. However, this also means that the local folder of the app on the search heads will be empty, unless the app is modified through the search head UI3.
Option B is the correct answer because it reflects the default behavior of the deployer when pushing apps to the search head cluster. Option A is incorrect because the local folder is not copied to the local folder on the search heads, but merged into the default folder. Option C is incorrect because all the .conf files in the local folder are deployed to the search heads, not only certain ones. Option D is incorrect because the local folder is not ignored, but merged into the default folder.
[References:, 1: Search head clustering architecture - Splunk Documentation 2: About configuration files - Splunk Documentation 3: Use the deployer to distribute apps and configuration updates - Splunk Documentation, , , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit