Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to restore Glass Tables - ES Deployment Template

season88481
Contributor
‎04-23-2017 07:38 PM

Hi team,

We are in Enterprise Security

I cleared one of the default Glass Table by mistake. Is there a way to restore this glass table.

I understand this "ES Deployment Template" is an out-of-the-box glass table. Could I restore the glass table by copyoing the configuration files from other Enterprise Security instance?

If yes, and what files/folder should I copy from?

Thanks.
Season

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bluger_splunk
Splunk Employee
Splunk Employee
‎04-24-2017 03:57 PM

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

View solution in original post

Reply
Solved! Jump to solution
Solution

bluger_splunk
Splunk Employee
Splunk Employee
‎04-24-2017 03:57 PM

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...