Alerting

How can we migrate dashboards and alerts from one farm to another?

ddrillic
Ultra Champion

We are in the process of migrating from one farm to another. How can we move a set of dashboards and alerts from the original farm to the next?

Tags (1)
0 Karma

lguinn2
Legend

All of the dashboards, saved searches, tags, eventtypes, etc. are collectively referred to as "knowledge objects" in Splunk.
They are stored in various directories under $SPLUNK_HOME/etc on the search head(s)

system - for system-level configurations, which should not normally include knowledge objects (but could)
apps - contains a directory for each app, with its associated knowledge objects (which are generally shared)
users - contains a directory for each user, containing the users' private knowledge objects

If you are moving from/to a search head cluster, you need to carefully follow the directions in the Distributed Search manual. If you are using independent search heads (not clustered), then you should be able to copy the apps and users directories from one search head to another. Don't copy the system directory across, but do check to see what is in it.

skoelpin
SplunkTrust
SplunkTrust

Saved searches are defined at search time in props.conf and transforms.conf on the searchhead. Use these rest calls to identify everything you have and you can start copying your conf files to the new servers

Query1 (macros)
    | rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner  as owner | fillnull value="-"  owner | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere\:") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"`".search."`\"*"

Query2 (eventtypes)
     | rest /servicesNS/-/-/saved/eventtypes splunk_server=local | search search="*YourSourceTypeHere*"| table title | eval search="search=\"*eventtype*=*".title."*\"" | table search

Query3 (Saved searches)
     | rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"YourSourceTypeHere") 

Query4 (Dashboards/Forms)
     | rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"YourSourceTypeHere")


FIELDS 

| rest /servicesNS/-/-/data/props/extractions splunk_server=local|rename eai:acl.app as App
| search stanza=*prd_ngn_ace*
| stats values(stanza) AS stanza values(title) as title values(value) AS RegEx values(attribute) AS ExtractionType by App
| eval cap_path=mvzip(title,RegEx,ExtractionType)
| mvexpand cap_path
| makemv delim="," cap_path
| eval capacity=mvindex(cap_path,0)
| fields + cap_path App
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...