I have have been holding off on deployment of the splunk app for windows v5 with knowledge that many (100+) dashboards and reports will break due to references to windows events by sourcetype.
I imagine it would be relatively easy to search and replace elements of impacted searches on the file system of a search head which is not clustered. I can't get my head around how best to make bulk updates to knowledge objects on a clustered search head. Does anyone have a good strategy to update searches in views and dashboards in bulk when breaking transforms, such as the splunk app for windows v5, need to get deployed?
i think you could still do that on the file system - just do it on the deployer (if needed in your env, e.g. local dashboard/reports) and do it on each member of the cluster. then push the bundle and/or rolling restart.
Or maybe a little less user-friendly, you could try to make the changes via the api against a member, as i think changes via the api will trigger replication.
thanks for your input. I went ahead and wrote a powershell script to to facilitate (1) identification of dashboards having text of concern, (2) replacement of text, (3) human review of proposed changes, (4) place accepted changes in clipboard, and finally (5) pop open new tab in browser opening dashboard for editing so that clipboard content can be pasted and saved.
|rest/servicesNS/-/-/saved/searches | table *title* *Search* | regex qualifiedSearch = "(?msi)sourcetype\s*=\s*\"?winevent"
Thanks.. that helped me with the next revision of the script to handle saved searches in addition to views...
| rest /servicesNS/-/-/data/ui/views splunk_server=local | rename eai:appName as appName, eai:acl.owner as owner, eai:acl.sharing as sharing, eai:data as data, eai:type as type | fields type, appName, sharing, owner, title, updated, matching_values, data, id | append [| rest/servicesNS/-/-/saved/searches splunk_server=local | eval type="search" | rename eai:acl.app as appName, eai:acl.owner as owner, qualifiedSearch as data | fields type, appName, sharing, owner, title, updated, matching_values, data, id ] | regex data="(?msi)sourcetype\s?=\s?\"?(xml)?wineventlog:[^\s]+" | rex field=data "(?<matching_values>(?msi)sourcetype\s?=\s?\"?(xml)?wineventlog:[^\s]+)" | sort 0 appName, type, title
I appreciate both your input and that of @maciep. Both inform a strategy or implementation but neither are a full solution. The PowerShell script I posted is presently stable enough to support views and I am sprinting towards added support for searches. I will close this question once the script is fully complete and a github repo exists to adequately describe it for use by others.
just to be clear, when you're ready, go ahead and post your answer with a link to your script and then accept that answer. Just want to be sure you weren't going to literally close the question...having it answered with your solution will likely help others in the future.
sounds like a good plan. i plan to give the code a run on a production environment today and factor leasons learned in to code. probably will close issue over weekend.
Here is the job aide (script) I am using to orchestrate the transition of savedsearches and dashboards on our clustered search heads before installing Splunk app for Windows v5. Hope to is helpful to others.