Hi All,
Due to security requirements we cannot have a single Streams App "Deployer" which all Streams Agents phone home to
[streamfwd://streamfwd]
splunk_stream_app_location = https://192.168.64.60:8000/en-us/custom/splunk_app_stream/
disabled = 0
In order to work around this network/security limitation we've had to install the Stream App on HFs in multiple network zones.
Question: To save us having to manually enter all the custom Streams and Forwarder Groups can we export from one instance and import to another?
From what I can tell they are in a kvstore based on the contents of this file
cat /opt/splunk/etc/apps/splunk_app_stream/default/collections.conf
#
# Splunk app KV Store collection file
#
[streams]
[miscellaneous]
[streamforwardergroups]
[fileservermountpoints]
[fileservermountpointsTEST]
[configurations]
[vocabularies]
[netflow_ipfix_apps_info]
Is it just a matter of exporting one or all of these collections?
# Export
/opt/splunk/bin/splunk backup kvstore -archiveName streams-streams-backup -collectionName streams -appName splunk_app_stream
and
/opt/splunk/bin/splunk backup kvstore -archiveName streams-forwardergroups-backup -collectionName streamforwardergroups -appName splunk_app_stream
# Then collect these backups from /opt/splunk/var/lib/splunk/kvstorebackup copy across to the other "Stream Deployer" then reimport with
/opt/splunk/bin/splunk restore kvstore -archiveName streams-streams-backup -collectionName streams -appName splunk_app_stream
and
/opt/splunk/bin/splunk restore kvstore -archiveName streams-forwardergroups-backup -collectionName streamforwardergroups -appName splunk_app_stream
Ref: https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/BackupKVstore
Is there a better way or is this our only option?