Deployment Architecture

How to change savedsearches and views in bulk on clustered search head

dstaulcu
Builder

I have have been holding off on deployment of the splunk app for windows v5 with knowledge that many (100+) dashboards and reports will break due to references to windows events by sourcetype.

I imagine it would be relatively easy to search and replace elements of impacted searches on the file system of a search head which is not clustered. I can't get my head around how best to make bulk updates to knowledge objects on a clustered search head. Does anyone have a good strategy to update searches in views and dashboards in bulk when breaking transforms, such as the splunk app for windows v5, need to get deployed?

1 Solution

dstaulcu
Builder

Here is the job aide (script) I am using to orchestrate the transition of savedsearches and dashboards on our clustered search heads before installing Splunk app for Windows v5. Hope to is helpful to others.

View solution in original post

woodcock
Esteemed Legend

There is now an app to help with upgrades called Upgrade Planner for Splunk Add-on for Windows:
https://splunkbase.splunk.com/app/4594/

dstaulcu
Builder

Here is the job aide (script) I am using to orchestrate the transition of savedsearches and dashboards on our clustered search heads before installing Splunk app for Windows v5. Hope to is helpful to others.

woodcock
Esteemed Legend

See my new answer about an app to help. It can be used to "grade your the effectiveness of your work" using this script in preparation for the upgrade.

woodcock
Esteemed Legend

Try this:

|rest/servicesNS/-/-/saved/searches
| table *title* *Search*
| regex qualifiedSearch = "(?msi)sourcetype\s*=\s*\"?winevent"

dstaulcu
Builder

Thanks.. that helped me with the next revision of the script to handle saved searches in addition to views...

| rest /servicesNS/-/-/data/ui/views splunk_server=local 
| rename eai:appName as appName, eai:acl.owner as owner, eai:acl.sharing as sharing, eai:data as data, eai:type as type 
| fields type, appName, sharing, owner, title, updated, matching_values, data, id 
| append 
    [| rest/servicesNS/-/-/saved/searches splunk_server=local 
    | eval type="search" 
    | rename eai:acl.app as appName, eai:acl.owner as owner, qualifiedSearch as data 
    | fields type, appName, sharing, owner, title, updated, matching_values, data, id
        ] 
| regex data="(?msi)sourcetype\s?=\s?\"?(xml)?wineventlog:[^\s]+" 
| rex field=data "(?<matching_values>(?msi)sourcetype\s?=\s?\"?(xml)?wineventlog:[^\s]+)" 
| sort 0 appName, type, title
0 Karma

woodcock
Esteemed Legend

So you are good to go now? If so, click Accept to close the question.

0 Karma

dstaulcu
Builder

I appreciate both your input and that of @maciep. Both inform a strategy or implementation but neither are a full solution. The PowerShell script I posted is presently stable enough to support views and I am sprinting towards added support for searches. I will close this question once the script is fully complete and a github repo exists to adequately describe it for use by others.

maciep
Champion

just to be clear, when you're ready, go ahead and post your answer with a link to your script and then accept that answer. Just want to be sure you weren't going to literally close the question...having it answered with your solution will likely help others in the future.

0 Karma

dstaulcu
Builder

sounds like a good plan. i plan to give the code a run on a production environment today and factor leasons learned in to code. probably will close issue over weekend.

0 Karma

maciep
Champion

i think you could still do that on the file system - just do it on the deployer (if needed in your env, e.g. local dashboard/reports) and do it on each member of the cluster. then push the bundle and/or rolling restart.

Or maybe a little less user-friendly, you could try to make the changes via the api against a member, as i think changes via the api will trigger replication.

0 Karma

dstaulcu
Builder

thanks for your input. I went ahead and wrote a powershell script to to facilitate (1) identification of dashboards having text of concern, (2) replacement of text, (3) human review of proposed changes, (4) place accepted changes in clipboard, and finally (5) pop open new tab in browser opening dashboard for editing so that clipboard content can be pasted and saved.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...