how to automatically change index name in all the ...

deepthi5

Hi i initially created a index name with XYZ and there are around 60 reports alerts and 15 dashboard created on this index now the index name has to be changed with XYZ_audit and i have to update all these reports with neaw name of the index can i do this automatically using a script or any other way

richgalloway

You can do that using a shell script in the CLI. Look for "XYZ" in $SPLUNK_HOME/etc/apps/*/*/savedsearches.conf, $SPLUNK_HOME/etc/system/local/savedsearches.conf, and $SPLUNK_HOME/etc/apps/*/*/data/ui/views/*.

---
If this reply helps you, Karma would be appreciated.

isoutamo

Probably something like this

for i in $(find /opt/splunk/etc -type f \( -name savedsearches.conf -o -name "*.xml" \) -print0 | xargs -0 egrep -l "<your old index>"|egrep -v \.old); do echo "file:" $i; sed -e 's/<your old index>/<your new index>/g' -I.backup  $i  ;done

Check sed's parameters and also test this first!!!! You will run this by your own responsibility without any guarantees!

PickleRick

While the oneliner is relatively OK (though the nitpicker in me could point out some bad practices ;-)) it will replace all occurrences of a _string_ even if it's used in a completely different context, not just an index name.

@deepthi5The usual disclaimer - automatic finding of such things will not cover all possible usages. Index can be specified directly in search, can be specified within a macro, an eventtype or even dynamically using a subsearch.

how to automatically change index name in all the searches it is using

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?