I have learned this is very important in making sure you can recoverin case of a big disaster. It is a saving net for your saved searches, event types, tags, lookups, reports & all your customizations. I work in a large environment including splunk Ent. & ES. Any planning / SPLs are much appreciated. Thx a ton !
There's several angles to consider as an admin on backing up and restoring an enterprise environment. How to do it, how to restore it, how often to test, how often to snap, etc.
Beyond that, the investment of time and energy of even one critical dashboard, macro, or query, may justify looking into other ways to protect yourself. Several of us in the community have come up with ways to help with this too.
Check all of these things out to figure out how best to accomplish your goals. Good luck!
I appreciate your help. I did watch conf19 posted. As far as apps. do I need both apps listed or just one? Which is your favorite? Does the app ask where to store the information being backed up?
Thanks a million.
YMMV. Your cases aren't my cases, which is why I recommended not only the one I'm most familiar with, but the others that come up often. I do recommend you install and play with all of it in your dev environment, and figure out what meets your needs and wants. Then get rid of the rest. I recommend that you do not install things into your prod environment that you don't need. And to not seem evasive, I am satisfied between the services my admins (great people) provide and the solution dmarling and I presented. Our CYA solution scratches my exact itch, and has done so for years now. It also works in more than one Splunk product. Good luck on your journey!
Additionally if you want a command line python script that can poll your splunk environment's api on some kind of cron to pull each object individually into git, you can do so with this script I wrote: https://github.com/paychex/splunk-python/tree/main/Splunk2Git
It is functionally similar to @gjanders app but doesn't involve installing an app if you have users who individually want to maintain their objects in whatever repository they want instead.
If you're backing up $SPLUNK_HOME/etc then you have all of your KOs backed up.