Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we move alerts from one app to another?

splunker9999
Path Finder
‎03-02-2016 08:06 AM

Hi,

We need to move few alerts from one app to another, is there a way we can do this?

Thanks

Reply

woodcock
Esteemed Legend
‎03-07-2017 12:52 PM

What a GREAT selection of answers! Make sure that you pick the one that worked best for you and up-vote any that worked at all.

Reply

ltrand
Contributor
‎03-07-2017 05:56 AM

To programatically complete the move, do the following:

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/myapp/saved/searches/mysearch/move  \
        -d user=nobody \
        -d app=otherapp

https://docs.splunk.com/Documentation/Splunk/6.5.2/RESTTUT/RESTbasicexamples#Move_an_object_to_a_dif...

0 Karma
Reply

gyslainlatsa
Motivator
‎03-03-2016 03:49 AM

hi splunker9999,

all alerts are setup in your savedsearches.conf (there could by multiple files!) you must check for any action.* items, because this will define an alert. Copy all the stanza alerts that you want to move into a new savedsearches.conf file, then copy and paste the file into your target application (in the default directory or local).

then you restarted splunk and everything will work.

for more informations about savedsearches or savedsearches.conf, see this link:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Configuringalertsinsavedsearches.conf

0 Karma
Reply

chimell
Motivator
‎03-03-2016 02:55 AM

Hi
In Splunk web , go to Setting- -> Searches, reports, and alerts in Actions column click on clone of your existing alert, in open form choose your new app in Destination app ** dropdown and **save

Reply

woodcock
Esteemed Legend
‎03-02-2016 11:58 AM

Assuming that you do not have CLI access to your Search Head and that you do not have a Deployment Server, then, if you have several in one app and need to move them to another app you can export both apps using the app exporter tool, hand merge them and then upgrade the app with the merged app zip/tgz file:

https://splunkbase.splunk.com/app/2613/

0 Karma
Reply

harsmarvania57
Ultra Champion
‎03-02-2016 08:11 AM

Hi,

You can see "Move" button for that alert in Setting -> Searches, reports, and alerts and select new application.

Thanks,
Harshil

Reply

harsmarvania57
Ultra Champion
‎10-04-2019 01:33 AM

Just to update, if anyone want to move mutiple knowledge objects from one app to another then it'll be pain in Splunk WebGUI because you need to move knowledge object one by one, to simplified this I have created python script which uses Splunk REST API to move multiple knowledge objects https://github.com/harsmarvania57/splunk-ko-change (NOTE: Please use that script at your own risk :P)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...