We have created a new Splunk 6.6.3 cluster environment with 3SH and 6 indexers. I've been asked to copy the saved searches, dashboards, etc from the old system to the new system. Unfortunately it seems all of the dashboards were created under the default search application.
How do I move from the \etc\apps\search\local to the new clustered system?
There are also a number of xml files in the etc/apps/search/local/data/ui/views, how do I copy that over as well?
If it is search head clustered environment, then the best way to do it is to create it in Captain instance. Copying the configuration files for dashboard is hactic task, just copy the xmls and create new dashboards.
For saved searches, savedsearches.conf file is avaible you can copy that.
Captain will replicate all the search artifacts and saved searches to other SHC members.
Follow these steps and see if it works for you,
On deployer, create an app with some name "oldstufffromsearchapp" under $SPLUNK_HOME/etc/shcluster/apps/ directory.
local directory from search app on old search head and paste it inside "oldstufffromsearchapp"
Push configurations to search heads -- From deployer, $SPLUNKHOME/bin, run this command, `./splunk apply shcluster-bundle -target <captainURI>:8089 -auth
More info here.
Hi @nls7010 - Did any of these answers provide a working solution to your question? If yes, don't forget to click "Accept" to close out your question so that others can easily find it if they are having the same issue. Otherwise, please give us more information so someone else can suggest a fix. Thanks and happy Splunking!