Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to recreate partial index data with metadata on different Splunk installation?

deepdive100
Loves-to-Learn Everything
‎08-18-2023 10:50 AM

I have a Splunk container for development (Dev).  I want to import a slice of data from one index of my production Splunk (Prod) to this container so I can write searches against that data exactly as it appears in Prod. 

Using Export on Prod and Import on Dev is not producing my desired outcome.  Doing this as a single file with a single indexing is creating logs that are indexing the container hostname as the host not the host of the data itself.  The data in the Prod index is of varying sourcetypes so the import is also only creating the sourcetype of the import file, not tha sourcetype from the data itself. 

I'm looking at possibly using the  EventGen app but not sure if this will do what I'm trying to do.

Is what I'm doing possible?  I do not want the entire prod index. I do not want to rsync or otherwise go to the backend to move data.  

EDIT: I modified the title, it seems I want the raw data and metadata to all come over in one package?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

deepdive100
Loves-to-Learn Everything
‎08-23-2023 06:53 AM

So it seems the way forward for me is to write some scripts to pull down `index=app host=each_host sourcetype=each_sourcetype` for a specific time block, export them with the hostname in the title and import each with the hostname widget set to the filename.  One script of API calls with the variables on the hosts and sourcetype should do it.  Will try it out and update here

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 01:31 PM

Hi

basically you could try to copy those from prod node. Here is an old post about it https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/5280...

You should change needed configurations after copy as you want this to be a different host  also you should copy only needed indexes or remove those after rsync.

r. Ismo

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...