Configure database repository mode

Set up agent management to use the Postgres-backed database repository mode by configuring the repository type and activating the saved-search pipeline.

To configure database mode, you set repository_type = database and activate the saved searches that produce the data agent management ingests into Postgres.

  1. Open or create $SPLUNK_HOME/etc/system/local/agent_management.conf.
  2. In the [general] stanza, set repository_type = database.

    To tune ingestion, matching refresh, or retention behavior, add a [repository_database] stanza.

    Example:

    CODE 
    [general]
request_timeout = 5m
repository_type = database
  3. Create or edit $SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/local/savedsearches.conf and activate the producer searches with scheduling.

    Add the following stanzas:

    CODE 
    [AgentManagerAppEventData]
disabled = 0
enableSched = 1
[AgentManagerPhonehomeData]
disabled = 0
enableSched = 1
[AgentManagerClientData]
disabled = 0
enableSched = 1
  4. In the same file, enable the summary search stanza but don't schedule it.
    CODE 
    [AgentManagerEventSummary]
disabled = 0

    In Splunk Enterprise 10.4, these saved searches use agent management data from _internal.

  5. Restart the Splunk instance to apply the repository and saved-search configuration changes.

Agent management now uses the Postgres-backed repository and ingests data that the scheduled saved searches produce going forward.

Splunk Enterprise 10.4 doesn't include an automatically activated historical client-data backfill flow for agent management database mode. After you activate database mode and the saved-search pipeline, agent management ingests only the data that the scheduled searches produce going forward.

If you need to load historical _dsclient or _dsappevent data into the Postgres-backed repository, use a backfill procedure provided separately for your environment. Use a built-in backfill saved search only if the procedure for your environment explicitly confirms it is available, activated, and safe to schedule.