I have a user account on splunk and I would like to export events and then import them into splunk where I have admin rights as well as root account in OS. I do not have account in OS where the source splunk is running, so I don't think I could use the exporttool. I believe I just have standard export options available on web GUI (CSV, XML, JSON, raw events). Is there any recommended method of exporting and importing data in such scenario?
Possibly I could also connect to the source splunk via REST api if this is the way to go.
BTW, I'm not sure if it makes any difference or not but in my case events contain netflow data.
I have tried to do it already, but the format of the CSV is different depending if it was fast/smart/verbose search. Regardless which mode I use and then export CSV file it does not seem to be ready for import out of the box. I get the following error:
# /opt/splunk/bin/splunk cmd importtool /opt/splunk/var/lib/splunk/defaultdb/db 1477039178_330.csv Using logging configuration at /opt/splunk/etc/log-cmdline.cfg. unable to parse time. [...] unable to parse time. Successfully imported 0 events into bucket. Please ensure this bucket resides in a valid index and restart Splunk to recognize the new events.
so maybe I need to do some extra processing with that file or maybe I'm simply doing something stupid...
I've done the export/import CSV trick before without problems.
I've never seen the "Using logging configuration..." line, however.
Ok, I'm not sure how you exactly import that data. If you meant the commandline importtool then it's not working for me. At least not straight away with the syntax I specified above.
What finally has worked for me is importing the CSV file in web GUI Settings -> Data inputes -> (Local Inputs) Files & Directories
ok, can you please clarify in your answer that you are referring to data inputs in the WEB GUI and not the commandline importtool? I would also emphasize that number of fields in the exported CSV file depends on the search mode (fast/smart/verbose).
Yes, I'm talking about the GUI, not the command line.
You should use the search mode that gives you the best results. You can always use the
fields command to eliminate fields you don't need to export.