Splunk Enterprise Security

How to restore Glass Tables - ES Deployment Template

season88481
Contributor

Hi team,

We are in Enterprise Security

I cleared one of the default Glass Table by mistake. Is there a way to restore this glass table.

I understand this "ES Deployment Template" is an out-of-the-box glass table. Could I restore the glass table by copyoing the configuration files from other Enterprise Security instance?

If yes, and what files/folder should I copy from?

Thanks.
Season

0 Karma
1 Solution

bluger_splunk
Splunk Employee
Splunk Employee

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

View solution in original post

bluger_splunk
Splunk Employee
Splunk Employee

Hi Season!

When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system?

There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue.

These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged.

  1. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar).
  2. Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer"
  3. Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer".

Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below.

http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_d...

Hope this helps! Let me know if it doesn't.

Kindest Regards,

~Brian

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...