Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Export all alerts,reports and dashboards present in splunk UI

vineela
Path Finder
‎10-11-2021 02:28 AM

Hi All,

Actually in our splunk environment there is no test environment prior and now its present, So i need to replicate all the alerts,dashboards and reports present in production to test environment.
I didnt have access to backend environment of Splunk.
Is there any smarter way to do that instead of cloning each and every alert.
Waiting for response.

Thanks in Advance.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2021 06:14 AM

The easiest and perhaps smartest way is to copy $SPLUNK_HOME/etc from one environment to the other.  If you don't have access to the file system then try to find someone who does.

If that's not an option then consider using a backup app like https://splunkbase.splunk.com/app/5600.  It will handle alerts and reports, but probably won't do dashboards so you may have to copy them yourself.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vineela
Path Finder
‎10-12-2021 08:28 PM

I didnt have access to backend and cant do it and even i didnt have admin access to download base app.

can you suggest me the way or query to list out all the savedsearches from UI and check for cloning..whether its done or not.

There are 3 lower environments,how can we check whether the data is present for one app in all the environments,is there a way to check the same?


Thanks in Advance.



0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2021 07:00 AM

Someone from your team or company should've admin access. Its much easier to get the information through them. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 06:29 AM

List out the savedsearches using REST.  What you will see may be limited by your role.  This is where having admin access would be a benefit.

| rest /servicesNS/-/-/saved/searches splunk_server=local

There is no setting that indicates a saved search is a clone.  The default name of a clone has "clone" in it, but is not a reliable indicator.  The best you can do is look for identical search strings.

| rest /servicesNS/-/-/saved/searches splunk_server=local
| fields title search
| stats dc(search) as searchCount by title
| where searchCount > 1
| table title

Comparing data for different environments does not have a Splunk solution.  You'll have to export the results from each environment and use other tools to compare them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...