Dashboards & Visualizations

Possible option to combine a search command or dashboard XML along with the indexer data and export it to import at other Splunk instance

amit_saxena
Communicator

Hi all,

Is there a way to combine a search command or dashboard XML along with the indexer data and export it so that it can be imported at another Splunk instance ? This would be helpful for scenarios where a Splunk user wants to see the behavior of Splunk search with indexed data on some other Splunk instance for troubleshooting purposes ?

I admit that this would also introduce issues like indexes to be presented on the new Splunk instance but I assume that the solution will take care of this.

Note : I initially searched Splunk answers for this. I got two threads namely https://answers.splunk.com/answers/221798/exportimport-splunk-project.html and https://answers.splunk.com/answers/88107/export-index-data-from-production-splunk-and-import-intotes... . While they almost match my scenario, the only difference is that I want a Splunk command or an option in GUI as the solution. I don't want to copy directories from one instance to another which is tedious.

Regards,
Amit Saxena

Tags (1)
0 Karma

woodcock
Esteemed Legend

The easiest thing to do is just to point your "other Splunk instance" Search Head to the Indexer tier that has the data and then use the App Exporter app to move the app's KOs from the first Splunk Search Head to the "other Splunk instance" Search Head:

https://splunkbase.splunk.com/app/2613/

0 Karma

amit_saxena
Communicator

Hi Woodcock,

That sounds an interesting approach. I, however, can't try this as both Splunk instances are not connected with each other. Specifically, I am referring to Splunk instances available in mine as well as my friend's laptop. I am looking to transfer the exported data through USB drive.

Thanks for the solution anyway.

Regards,
Amit Saxena

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi amit_saxena,
in other word, you would reproduce your app and a data subset, correct?

If this is your need, you have to save all your objects (dashboards, fields, eventtypes, etc...) in an App, doing attention to not leave anything as private especially indexes.conf, and then copy this app in the new environment.

To take data, you have two choices: take all logs of the selected indexes or a subset of them.
First choice it's easier because you have to copy from your environment into the new one the full index (directory $SPLUNK_DB/var/lib/splunk/indexname with all subdirectories or the different one you used) beware that the path where index is stored in the new environment is the same of indexes.conf.
Otherwise if you want to extract only a subset of the index data, run your search saving results as not structured data in a file and then load them from the file.

Bye.
Giuseppe

0 Karma

amit_saxena
Communicator

Hi Giuseppe,

Thanks for the details.

I will try this out and revert.

Regards,
Amit Saxena

0 Karma

gcusello
SplunkTrust
SplunkTrust

If you'll satisfied, accept the answer, please.
If, you need other details, ask with no problems.
Bye.
Giuseppe

0 Karma

amit_saxena
Communicator

Hi Giuseppe,

Give me some time, I will try this and revert.

Regards,
Amit Saxena

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...