How can we migrate dashboards and alerts from one farm to another?

Ultra Champion

We are in the process of migrating from one farm to another. How can we move a set of dashboards and alerts from the original farm to the next?

Tags (1)
0 Karma


All of the dashboards, saved searches, tags, eventtypes, etc. are collectively referred to as "knowledge objects" in Splunk.
They are stored in various directories under $SPLUNK_HOME/etc on the search head(s)

system - for system-level configurations, which should not normally include knowledge objects (but could)
apps - contains a directory for each app, with its associated knowledge objects (which are generally shared)
users - contains a directory for each user, containing the users' private knowledge objects

If you are moving from/to a search head cluster, you need to carefully follow the directions in the Distributed Search manual. If you are using independent search heads (not clustered), then you should be able to copy the apps and users directories from one search head to another. Don't copy the system directory across, but do check to see what is in it.


Saved searches are defined at search time in props.conf and transforms.conf on the searchhead. Use these rest calls to identify everything you have and you can start copying your conf files to the new servers

Query1 (macros)
    | rest splunk_server=local /servicesNS/-/-/properties/macros | table id eai:acl.owner | rename eai:acl.owner  as owner | fillnull value="-"  owner | map maxsearches=10000 search="| rest splunk_server=local $id$/definition | eval id=\"$id$\" | eval owner=\"$owner$\"" | where match(value,"YourSourceTypeHere\:") | table id | rex field=id ".+\/(?<search>.+)$" | table search | eval search="search=*\"`".search."`\"*"

Query2 (eventtypes)
     | rest /servicesNS/-/-/saved/eventtypes splunk_server=local | search search="*YourSourceTypeHere*"| table title | eval search="search=\"*eventtype*=*".title."*\"" | table search

Query3 (Saved searches)
     | rest splunk_server=local /servicesNS/-/-/saved/searches | table title search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"YourSourceTypeHere") 

Query4 (Dashboards/Forms)
     | rest splunk_server=local /servicesNS/-/-/data/ui/views | table title  eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"YourSourceTypeHere")


| rest /servicesNS/-/-/data/props/extractions splunk_server=local|rename as App
| search stanza=*prd_ngn_ace*
| stats values(stanza) AS stanza values(title) as title values(value) AS RegEx values(attribute) AS ExtractionType by App
| eval cap_path=mvzip(title,RegEx,ExtractionType)
| mvexpand cap_path
| makemv delim="," cap_path
| eval capacity=mvindex(cap_path,0)
| fields + cap_path App
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...