My environment has 1 HF which is pushing logs to splunkCloud.
I would like to take backup of all savedSearches.conf files in my splunk cloud whenever they are modified.
I am aware that splunkcloud limits the REST capabilities to modify config files but I am hoping if I can still use this app in HF to pull config changes from my cloud instance and push it to our git repository for tracing back any changes made to alerts in prod.
If I do not care about restoring them via app, I could do it manually via splunk cloud support.
If you are using app Version Control For Splunk as in https://splunkbase.splunk.com/app/4355/ , or Chris Yonger's app Git Version Control for Splunk https://splunkbase.splunk.com/app/4182/ then both apps will have the same limitations with using the Splunk REST API in the Splunk cloud instance.
However, the app I created, Version Control For Splunk, is using python's json.dump() to store config, so if you are looking for a friendly human-readable backup of config I would look at Git Version Control for Splunk
Version Control For Splunk is designed for backup and restore so the stored configuration in git is not easily human readable.
There is also a new app called Config Explorer
:
Unfortunately I doubt this app will be approved for Splunk cloud as it allows filesystem access. (but thanks for the mention 🙂
I missed the Splunk Cloud part. You are correct. This app will NEVER get approved.
If you are using app Version Control For Splunk as in https://splunkbase.splunk.com/app/4355/ , or Chris Yonger's app Git Version Control for Splunk https://splunkbase.splunk.com/app/4182/ then both apps will have the same limitations with using the Splunk REST API in the Splunk cloud instance.
However, the app I created, Version Control For Splunk, is using python's json.dump() to store config, so if you are looking for a friendly human-readable backup of config I would look at Git Version Control for Splunk
Version Control For Splunk is designed for backup and restore so the stored configuration in git is not easily human readable.
Thank you gjanders.
I was able to add new input using GUI which worked as expected.
Your suggestion about taking human readable backup is also on point.
PS:
While adding new input via GUI, it does not allow to use useLocalAuth=true as it gives me an error. I was using local splunk install to test the app.
Also, I added following to python scripts to make it work: (as suggested by open issue in github)
os.unsetenv('LD_LIBRARY_PATH')
My host OS is : Ubuntu 16.04 64-bit
Thank you for your help.
I'm unsure why the useLocalAuth did not work if you were using https://localhost:8089, that worked in testing although my prod are all search head clusters so they all run with remote URL's.
I've created this on the README.md file now:
"Troubleshooting
In some Linux OS distributions an error similar to OPENSSL_1.0.0 not found may appear, os.unsetenv('LD_LIBRARY_PATH') appears to fix this however AppInspect does not allow modification of OS environment variables.
If you have this issue please add this into the python files to workaround the problem as required, refer to this issue on github for more details"
Unfortunately you can't backup your Splunk cloud config using this app.
Potentially you could do something by running a search query and writing that to a lookup file on a regular basis?
Splunk already do their own backups anyway.
Hi Chris, I am hoping that I could install your app - "Git Version Control for Splunk" on one of the indexers on splunkcloud to take a btool dump and push it to our git repo every n seconds. It does not involve any REST API calls I think.
Don't you think it should work if splunkcloud allows me to install git on it? Can you share your views on it?
We just moved to cloud. Seems like splunk does not allow third party applications on SplunkCloud.
So I guess can't install git on splunkcloud.
I am sorry but the Splunk cloud team will never allow it to be installed... You are welcome to try though.