Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Exporting and Importing response plans
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I was wondering if there is a way to import/export response plans and investigations in splunk8.x,
my goal is to include Response Plans in a custom app that we have built and are deploying across multiple projects
from what I have gathered so far this may not be possible because these features are specific to Splunk Enterprise Security, If that is the case is there a clean or standard way to move Response Plans and Investigations between environments?
also Im not sure if I posted this question in the right location, please let me know if it would be better suited elsewhere
thank you so much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Elina
As @PickleRick mentioned, this is now available for >= ES 8.4
Check out the docs at https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.4/splunk-enterprise-security... (Import) and https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.4/splunk-enterprise-security...(Export)
but essentially its something like:
Export/Download:
curl --request GET \
--url http://yoursplunkserver:8089/servicesNS/nobody/missioncontrol/public/v2/responsetemplates/YourTemplateID/download \
--header 'Accept: application/octet-stream, application/json' \
--header 'Authorization: Bearer yourSplunkToken'
Import:
curl --request POST \
--url https://yoursplunkserver:8089/servicesNS/nobody/missioncontrol/public/v2/responsetemplates/import \
--header 'Accept: application/octet-stream, application/json' \
--header 'Authorization: Bearer yourSplunkToken' \
--header 'Content-Type: application/json' \
--data '{
"files": [
{
"filename": "security_template.json",
"data": "data:application/json;base64,eyJuYW1lIjogIlNlY3VyaXR5In0=",
"name": "My Custom Security Template"
}
]
}'Where the data is a Base64 encoded JSON string containing the template.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you all so much, I'm going to try them when we upgrade, Thanks Again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Elina
As @PickleRick mentioned, this is now available for >= ES 8.4
Check out the docs at https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.4/splunk-enterprise-security... (Import) and https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.4/splunk-enterprise-security...(Export)
but essentially its something like:
Export/Download:
curl --request GET \
--url http://yoursplunkserver:8089/servicesNS/nobody/missioncontrol/public/v2/responsetemplates/YourTemplateID/download \
--header 'Accept: application/octet-stream, application/json' \
--header 'Authorization: Bearer yourSplunkToken'
Import:
curl --request POST \
--url https://yoursplunkserver:8089/servicesNS/nobody/missioncontrol/public/v2/responsetemplates/import \
--header 'Accept: application/octet-stream, application/json' \
--header 'Authorization: Bearer yourSplunkToken' \
--header 'Content-Type: application/json' \
--data '{
"files": [
{
"filename": "security_template.json",
"data": "data:application/json;base64,eyJuYW1lIjogIlNlY3VyaXR5In0=",
"name": "My Custom Security Template"
}
]
}'Where the data is a Base64 encoded JSON string containing the template.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked about this on Slack some time ago.
Supposedly you can do
curl -d '<templateJSON>' -k -u "user:pw" -H "Content-Type: application/json" -X POST https://<ES>:8089/servicesNS/nobody/missioncontrol/v1/responsetemplates
But also 8.4 is supposed to have the export/import feature built-in.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
