Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Export all alerts,reports and dashboards present in splunk UI

vineela
Path Finder
‎10-11-2021 02:28 AM

Hi All,

Actually in our splunk environment there is no test environment prior and now its present, So i need to replicate all the alerts,dashboards and reports present in production to test environment.
I didnt have access to backend environment of Splunk.
Is there any smarter way to do that instead of cloning each and every alert.
Waiting for response.

Thanks in Advance.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2021 06:14 AM

The easiest and perhaps smartest way is to copy $SPLUNK_HOME/etc from one environment to the other.  If you don't have access to the file system then try to find someone who does.

If that's not an option then consider using a backup app like https://splunkbase.splunk.com/app/5600.  It will handle alerts and reports, but probably won't do dashboards so you may have to copy them yourself.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vineela
Path Finder
‎10-12-2021 08:28 PM

I didnt have access to backend and cant do it and even i didnt have admin access to download base app.

can you suggest me the way or query to list out all the savedsearches from UI and check for cloning..whether its done or not.

There are 3 lower environments,how can we check whether the data is present for one app in all the environments,is there a way to check the same?


Thanks in Advance.



0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2021 07:00 AM

Someone from your team or company should've admin access. Its much easier to get the information through them. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 06:29 AM

List out the savedsearches using REST.  What you will see may be limited by your role.  This is where having admin access would be a benefit.

| rest /servicesNS/-/-/saved/searches splunk_server=local

There is no setting that indicates a saved search is a clone.  The default name of a clone has "clone" in it, but is not a reliable indicator.  The best you can do is look for identical search strings.

| rest /servicesNS/-/-/saved/searches splunk_server=local
| fields title search
| stats dc(search) as searchCount by title
| where searchCount > 1
| table title

Comparing data for different environments does not have a Splunk solution.  You'll have to export the results from each environment and use other tools to compare them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...