Hi,
I am wondering if there is a version control system used by any of the splunk users for maintaining their artifacts like Splunk Dashboards, Reports and Alerts?
I understand most people used for the splunk configurations files. But the requirement we have is to maintain a version of the Dashboards and Reports or Alerts configurations. The expectation is use this as a roll back strategy, when some one changes a dashboard or alert or deletes them by mistake.
Can you some one provide some ideas on how this scenario is handled and how the dashboards and other search artifacts are backed up in their splunk environments
Thanks in Advance
I'm looking for a tool for tracking changes of knowledge objects only in an app, not all under $SPLUNK_HOME/etc, but $SPLUNK_HOME/etc/apps/my_app_to_track
Which tool can support that?
Thanks!
This will show you how to track conf file changes. Earlier questions wanted to change control on dashboards which are xml files so it wont work for those.
You might like my new app https://splunkbase.splunk.com/app/6895 which allows you to track changes to knowledge objects .
It's no effort, doesn't need any 3rd party software (so no git required for instance) and works equally well on-prem and in cloud.
On conf19 there was this presentation. Cover your assets. Another way to make backups.
https://conf.splunk.com/files/2019/slides/FN1315.pdf
(and Others) - A Paychex story
Industries: Not industry specific
Products: Splunk Enterprise, Splunk IT Service Intelligence, Splunk Machine Learning Toolkit
Session Video
Session Slides
SPEAKERS
Dustin Marling, Splunk App Developer, Paychex
Eric Favreau, Service Health Operations Analyst, Paychex
"Did we just lose ALL our knowledge objects? Do you know how much time and energy that was?" After a destructive resync, Paychex lost two months of its knowledge object creations/modifications. We learned to be prepared if it were to ever happen again. How? It's easier than you might think, and you don't have to be an admin. You’ll learn how to proactively save your work (dashboards, reports, data models, MLTK experiments, ITSI glass tables, macros, views, etc.) and audit changes when they occur. You will leave the session knowing how to manage the ever-increasing amount of things you create. You'll also have solutions that can save you time and effort from having to recreate lost/modified objects, including how to restore service faster. You also will come away with peace of mind knowing that you can take control of safeguarding and protecting your work, thereby covering your assets when a disaster happens.
R. Ismo
You can get the queries @efavreau and myself showed in our presentation from our git repo!
I built an app for this called VersionControl For Splunk as per chrisyongerjds's link, the primary difference with the app I've built and the other two linked is that my app is built for backup and restore.
Note that as a result of using json.dump from python, what my app stores in git is not very friendly for a human to read, as it's literally the JSON-encoded strings of configuration.
If you want human-readable configuration in git then use Git version control for splunk (Chris Yonger's app) or Stateful snapshot for Splunk
Hi @dhineshsv ,
Hopefully one day Splunk will build native version control into the product. In the meantime, I have had good success by committing my entire /etc/
folder into git on a regular and automated schedule. There are a few apps on Splunkbase that can do this automatic process for you:
With these, you can see the contents of a dashboard or conf file at a specific point in time.
I have deployed 'Git version control for Splunk' in a few large production environments now and it has been a huge help for knowing what has changed in an environment and for restoring accidentally deleted dashboards.
Hope this helps!
Hello Chris,
While both version control apps look great, they are not compatible for Splunk cloud - which is where they would all need to be, on the ES search head. Have you found any alternatives to those needing it on the cloud?
You might like my new app https://splunkbase.splunk.com/app/6895 which allows you to track changes to knowledge objects .
It's no effort, doesn't need any 3rd party software (so no git required for instance) and works equally well on-prem and in cloud.
VersionControl for Splunk could likely be modified to be cloud compatible, however I would need someone to test it as I do not have a cloud instance...