Splunk Enterprise Security

How to restore Glass Tables - ES Deployment Template

season88481
Contributor

Hi team,

We are in Enterprise Security

I cleared one of the default Glass Table by mistake. Is there a way to restore this glass table.

I understand this "ES Deployment Template" is an out-of-the-box glass table. Could I restore the glass table by copyoing the configuration files from other Enterprise Security instance?

If yes, and what files/folder should I copy from?

Thanks.
Season

0 Karma
1 Solution

bluger_splunk
Splunk Employee
Splunk Employee

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

View solution in original post

bluger_splunk
Splunk Employee
Splunk Employee

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...