According to the Splunk Enterprise Search Head Clustering (SHC) Deployer documentation, the “local_only” push mode is the correct option when deploying built-in apps. This mode ensures that the deployer only pushes configurations from the local directory of built-in Splunk apps (such as search, learned, or launcher) without overwriting or merging their default app configurations.
In an SHC environment, the deployer is responsible for distributing configuration bundles to all search head members. Each push can be executed in different modes depending on how the admin wants to handle the app directories:
full: Overwrites both default and local folders of all apps in the bundle.
merge_to_default: Merges configurations into the default folder (used primarily for custom apps).
local_only: Pushes only local configurations, preserving default settings of built-in apps (the safest method for core Splunk apps).
default only: Pushes only default folder configurations (rarely used and not ideal for built-in app updates).
Using the “local_only” mode ensures that default Splunk system apps are not modified, preventing corruption or overwriting of base configurations that are critical for Splunk operation. It is explicitly recommended for pushing Splunk-provided (built-in) apps like search, launcher, and user-prefs from the deployer to all SHC members.
References (Splunk Enterprise Documentation):
• Managing Configuration Bundles with the Deployer (Search Head Clustering)
• Deployer Push Modes and Their Use Cases
• Splunk Enterprise Admin Manual – SHC Deployment Management
• Best Practices for Maintaining Built-in Splunk Apps in SHC Environments