Is there a way to export all searches, alerts and ...

DanielUhlmann · ‎09-04-2018

Hello guys,

My question is pretty simple. Is there a easy way to export all your searches/reports and alerts created from every user, from one splunk indexer instance to another instance? My only suggestion for this problem was to locate all savedsearches.conf from every user and create the users on my new machine and copy all the conf. files. So my question is if there's an easier way to do this.

regards,

Daniel

gjanders · ‎11-12-2019

I wrote transfersplunkknowledgeobjects.py for this purpose about 9 months ago, this forms the basis for one of my apps Version Control for Splunk

There is also a github repository and an excellent conf presentation linked here:
FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

gerrysr6 · ‎07-06-2023

I'm trying to export and import alerts from one search head to a new search head.

Can transfersplunkknowledgeobjects.py be used for this?

I don't know what to use for "-srcApp" so I am trying "alerts" (without the quotes)

Right now I'm getting 404 errors. I do have a Bearer Token but where to put it?

I looked at "Version Control for Splunk" but that is even harder to figure out how to use it.

DanielUhlmann · ‎10-01-2018

@felipesewaybricker

Do you copy this out from your Webview or from your Splunk Indexer Server?

Regards

felipesewaybric · ‎10-01-2018

From my search head.

What I recommend is to create a new app folder, copy the folder structure from /opt/splunk/apps/, then all you need is to keep the files with the searchs and reports (savedsearch.conf), dashboards (data/ui/views folder), and others that you want to move.

DanielUhlmann · ‎10-10-2018

@felipesewaybricker

Thanks for your suggestion! I've ported every application from /apps now to my new splunk Head but now the App "launcher" is missing. Isn't this just the normal Splunk package which comes by default when you install splunk, because this is the 'core'?

Thanks in advance.

DanielUhlmann · ‎10-02-2018

@felipesewaybricker

So I copied the complete apps/ folder now. Now I can use them in my new Head if I replace the existing apps folder with my old one, right?

felipesewaybric · ‎10-02-2018

Almost, you dont need to copy all the app folder, only thoses apps that have info. The default app is called search.

kariras06 · ‎09-17-2018

This may be helpful:
https://docs.splunk.com/Documentation/ES/5.1.0/Admin/Export

Good luck!

tkopchak · ‎09-17-2018

Something to keep in mind when doing this sort of migration - just copying the user data will likely not be sufficient for everything to work properly. You will also need to ensure that any knowledge objects used by existing reports (field extractions, lookups, etc) are migrated as well.

If this is a case where you are replacing your search head with a new one, it would make the most sense to perform a migration of the configuration to ensure everything is moved over.

Noah_Woodcock · ‎09-16-2018

AppExporter

That is a tool that I use for situations like this.

gerrysr6 · ‎07-05-2023

App Exporter looks promising... how to use it to export Alerts and Reports as requested by Daniel?

woodcock · ‎09-16-2018

Check out this REST API endpoint:

/servicesNS/-/-/

MonkeyK · ‎09-16-2018

This post looks helpful:
https://answers.splunk.com/answers/49477/query-to-retrieve-saved-search-string.html
https://answers.splunk.com/answers/107423/using-splunk-rest-to-list-saved-searches-only-returns-a-li...

and creating searches using REST API
http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Unfortunatly, that is as much as I can show because I do not have access to the REST API in my environment.

felipesewaybric · ‎09-16-2018

Is easy, just copy those xml from views and the savedsearch file to another app, or create a new one and copy.

saibal6 · ‎11-11-2019

Thanks @felipesewaybricker .

I have tried it and it is working perfectly. But need to create a documentation on this, so I need the Splunk suggested documents. Could you please add any splunk documents link?

Thanks,
@saibal6

mstjohn_splunk · ‎09-11-2018

@danieluhlmann

Were you able to solve your problem? If so, please describe how you were able to do this in an answer post.

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

mstjohn_splunk · ‎09-04-2018

Hi @DanielUhimann,

Not sure if this helps you, but I stumbled upon this in Splunk Docs: https://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/MigrateaSplunkinstance

Does anything in there help?

adonio · ‎09-08-2018

copy the entire users directory?
what is it exactly that you are trying to do? and why?

Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes