Dashboards & Visualizations

Possible option to combine a search command or dashboard XML along with the indexer data and export it to import at other Splunk instance

amit_saxena
Communicator

Hi all,

Is there a way to combine a search command or dashboard XML along with the indexer data and export it so that it can be imported at another Splunk instance ? This would be helpful for scenarios where a Splunk user wants to see the behavior of Splunk search with indexed data on some other Splunk instance for troubleshooting purposes ?

I admit that this would also introduce issues like indexes to be presented on the new Splunk instance but I assume that the solution will take care of this.

Note : I initially searched Splunk answers for this. I got two threads namely https://answers.splunk.com/answers/221798/exportimport-splunk-project.html and https://answers.splunk.com/answers/88107/export-index-data-from-production-splunk-and-import-intotes... . While they almost match my scenario, the only difference is that I want a Splunk command or an option in GUI as the solution. I don't want to copy directories from one instance to another which is tedious.

Regards,
Amit Saxena

Tags (1)
0 Karma

woodcock
Esteemed Legend

The easiest thing to do is just to point your "other Splunk instance" Search Head to the Indexer tier that has the data and then use the App Exporter app to move the app's KOs from the first Splunk Search Head to the "other Splunk instance" Search Head:

https://splunkbase.splunk.com/app/2613/

0 Karma

amit_saxena
Communicator

Hi Woodcock,

That sounds an interesting approach. I, however, can't try this as both Splunk instances are not connected with each other. Specifically, I am referring to Splunk instances available in mine as well as my friend's laptop. I am looking to transfer the exported data through USB drive.

Thanks for the solution anyway.

Regards,
Amit Saxena

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi amit_saxena,
in other word, you would reproduce your app and a data subset, correct?

If this is your need, you have to save all your objects (dashboards, fields, eventtypes, etc...) in an App, doing attention to not leave anything as private especially indexes.conf, and then copy this app in the new environment.

To take data, you have two choices: take all logs of the selected indexes or a subset of them.
First choice it's easier because you have to copy from your environment into the new one the full index (directory $SPLUNK_DB/var/lib/splunk/indexname with all subdirectories or the different one you used) beware that the path where index is stored in the new environment is the same of indexes.conf.
Otherwise if you want to extract only a subset of the index data, run your search saving results as not structured data in a file and then load them from the file.

Bye.
Giuseppe

0 Karma

amit_saxena
Communicator

Hi Giuseppe,

Thanks for the details.

I will try this out and revert.

Regards,
Amit Saxena

0 Karma

gcusello
SplunkTrust
SplunkTrust

If you'll satisfied, accept the answer, please.
If, you need other details, ask with no problems.
Bye.
Giuseppe

0 Karma

amit_saxena
Communicator

Hi Giuseppe,

Give me some time, I will try this and revert.

Regards,
Amit Saxena

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...