We are in the process of migrating from one farm to another. How can we move a set of dashboards and alerts from the original farm to the next?
All of the dashboards, saved searches, tags, eventtypes, etc. are collectively referred to as "knowledge objects" in Splunk.
They are stored in various directories under $SPLUNK_HOME/etc on the search head(s)
system - for system-level configurations, which should not normally include knowledge objects (but could)
apps - contains a directory for each app, with its associated knowledge objects (which are generally shared)
users - contains a directory for each user, containing the users' private knowledge objects
If you are moving from/to a search head cluster, you need to carefully follow the directions in the Distributed Search manual. If you are using independent search heads (not clustered), then you should be able to copy the apps and users directories from one search head to another. Don't copy the system directory across, but do check to see what is in it.
Saved searches are defined at search time in
transforms.conf on the searchhead. Use these rest calls to identify everything you have and you can start copying your conf files to the new servers
Query1 (macros) | rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner as owner | fillnull value="-" owner | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere\:") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"`".search."`\"*" Query2 (eventtypes) | rest /servicesNS/-/-/saved/eventtypes splunk_server=local | search search="*YourSourceTypeHere*"| table title | eval search="search=\"*eventtype*=*".title."*\"" | table search Query3 (Saved searches) | rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"YourSourceTypeHere") Query4 (Dashboards/Forms) | rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"YourSourceTypeHere") FIELDS | rest /servicesNS/-/-/data/props/extractions splunk_server=local|rename eai:acl.app as App | search stanza=*prd_ngn_ace* | stats values(stanza) AS stanza values(title) as title values(value) AS RegEx values(attribute) AS ExtractionType by App | eval cap_path=mvzip(title,RegEx,ExtractionType) | mvexpand cap_path | makemv delim="," cap_path | eval capacity=mvindex(cap_path,0) | fields + cap_path App