Alerting

Migrate All Alerts from one instance to other instance

snehalk
Communicator

Hello Everyone,

i need to migrate only alerts from one instance to other instance , from this link http://answers.splunk.com/answers/141246/transferring-alerts-from-one-instance-to-another.html

we can export all like dashboard,views and all. but i need to export only alerts. Can any one help me one this?

Thank you

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi snehalk,

all alerts are setup in your savedsearches.conf (there could by multiple files!) you must check for any action.* items, because this will define an alert. Copy all stanzas into a new savedsearches.conf file and move that to the new server.

See the docs for details http://docs.splunk.com/Documentation/Splunk/6.2.0/Alert/Configuringalertsinsavedsearches.conf

hope this helps ...

cheers, MuS

View solution in original post

brent_weaver
Builder

Great post but how do you move this to a seachhead cluster where we need the directories to stay in sync? My savedsearches.conf is under my user folder within splunk on the old system. How do I migrate that to ensure that it syncs with the other nodes?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi brent_weaver, the answer did not consider SHC. But you can find the information in the docs ( as always ! ) :
From http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/HowconfrepoworksinSHC

Note: The deployer works in concert with cluster replication to migrate user (not app) configurations to the cluster members. The typical use case for this is to migrate user settings on an existing search head pool or standalone search head to the search head cluster. You put the user configurations that you want to migrate on the deployer. The deployer pushes them to the captain, which then replicates them to the other cluster members. For details, see "User configurations."

Next page can be found here http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/PropagateSHCconfigurationchanges#User_c...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi snehalk,

all alerts are setup in your savedsearches.conf (there could by multiple files!) you must check for any action.* items, because this will define an alert. Copy all stanzas into a new savedsearches.conf file and move that to the new server.

See the docs for details http://docs.splunk.com/Documentation/Splunk/6.2.0/Alert/Configuringalertsinsavedsearches.conf

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...