Is it possible to create backup the app with data and visualization for a specific date to keep for a future date ?
It depends on what your goal is.
Because an app as such is actually a bunch of files stored together for:
1) Ease of management (so that you can easily deploy them as a single ap or remove as one; also for proper configuration file precedence)
2) Permission management (so you can grant permissions for particular apps to specific roles)
But from your question I suppose you want to capture a state of the whole system in order to be able to recreate some specific reports or visualizations within a single app.
It's not that easy.
1. Reports/visualizations from one app will most probably rely on stuff from other apps (extractions, calculated fields, lookups, maybe datamodels). So just one app is usually not enough on its own.
2. Of course the report/dashboard is created from the data stored at a given point in time in your Splunk system so you'd have to not only find out which data it is and properly copy it out (let's for now leave aside the topic of techincal details of copying it out), but also make sure that the data does not "age" and is not rotated to frozen and removed from the system over time on the destination system.
3. Usually reports and dashboards use searches with time ranges defined relatively to current moment (like "from a week ago to this day's beginning"). If you execute such search in two weeks time you will surely get different results simply because the search will be run against completely different set of data even though you might still have the original data in place.
So it's more complicated than it seems.
If you need to capture some state at this point I'd rather think about exporting the results of some reports or screenshots of your dashboards - that's static data which is guaranteed not to change over time.
Otherwise you'll have to solve all those problems I mentioned earlier.
Hi @harimadambi,
if an app is correctly created without private objects, can be easily backupped taking files from $SPLUNK_HOME/etc/apps/your_app.
For data is a little more difficoult because you have to know which indexes are used by the App and then backup them.
You can find all the indexes in:
SPLUNK_DB by default is $SPLUNK_HOME/var/lib/splunk, but probably it's different in your installation.
Ciao.
Giuseppe
@gcusello Thank you for the answer. I'm managing a multisite indexer cluster which hold many customer projects data and their visualization. I would like to create a snapshot of a particular project for a specific date in the past and it should be kept for future. Why I'm calling it as snapshot means I need the same visualizations along with full data in another index.
So my idea was to create another index and copy the data from the soruce index say demo to destination index say demo_snapshot by collect command. But there I can see some data loss. So I would like to know is there any suggestions I can get from Splunk community to achieve my target.
Thank you,
Hi @harimadambi,
if you want to copy data from an index to another, you can create a scheduled search (with the frequency you prefer for updates) using the collect command:
index=your_staring_index
| collect index=your_new_index
Sincerely, it isn't so clear for me why do you want to do this: I understand the app backup, but usually indexes are under a general backup policy and there isn't the requirement of backupping only one index, but It's only a my idea, you can copy the events of one or more indexes in another one and use it for your purposes.
Ciao.
Giuseppe