Alerting
Highlighted

Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

New Member

Hello guys,

My question is pretty simple. Is there a easy way to export all your searches/reports and alerts created from every user, from one splunk indexer instance to another instance? My only suggestion for this problem was to locate all savedsearches.conf from every user and create the users on my new machine and copy all the conf. files. So my question is if there's an easier way to do this.

regards,

Daniel

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Splunk Employee
Splunk Employee

Hi @DanielUhimann,

Not sure if this helps you, but I stumbled upon this in Splunk Docs: https://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/MigrateaSplunkinstance

Does anything in there help?

Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

SplunkTrust
SplunkTrust

copy the entire users directory?
what is it exactly that you are trying to do? and why?

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Splunk Employee
Splunk Employee

@danieluhlmann

Were you able to solve your problem? If so, please describe how you were able to do this in an answer post.

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Contributor

Is easy, just copy those xml from views and the savedsearch file to another app, or create a new one and copy.

Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Path Finder

Thanks @felipesewaybricker .

I have tried it and it is working perfectly. But need to create a documentation on this, so I need the Splunk suggested documents. Could you please add any splunk documents link?

Thanks,
@saibal6

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Builder

This post looks helpful:
https://answers.splunk.com/answers/49477/query-to-retrieve-saved-search-string.html
https://answers.splunk.com/answers/107423/using-splunk-rest-to-list-saved-searches-only-returns-a-li...

and creating searches using REST API
http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches

Unfortunatly, that is as much as I can show because I do not have access to the REST API in my environment.

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Esteemed Legend

Check out this REST API endpoint:

/servicesNS/-/-/
0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

Path Finder

AppExporter

That is a tool that I use for situations like this.

0 Karma
Highlighted

Re: Is there a way to export all searches, alerts and reports from all users to another Splunk instance?

SplunkTrust
SplunkTrust

Something to keep in mind when doing this sort of migration - just copying the user data will likely not be sufficient for everything to work properly. You will also need to ensure that any knowledge objects used by existing reports (field extractions, lookups, etc) are migrated as well.

If this is a case where you are replacing your search head with a new one, it would make the most sense to perform a migration of the configuration to ensure everything is moved over.

0 Karma