We have two different on-prem environment one lower and higher environment.
While promoting the ITSI changes from lower environment to higher environment using ITSI full backup and restore method i am facing the below issues..
I have come across this many times as well. Your best option in my opinion is to move the savedsearches, macros etc. from the /itsi/local app context to your self managed application context. for example project-x_itsi_addon. Then promote the configurations from this app to a higher environment.
I am not 100% how the adaptive thresholds search would act if you try migrate that one this way so be a bit extra careful with those.
In general it's also good practice to maintain your KPI searches and Correlation searches in your separate application context. You can there after use a reference to a savedsearch in the ITSI KPI/KPI Base/Correlation searches with "| savedsearch my_saved_search_from_app_1" Note that the my_saved_search_from_app_1 needs to be shared globally. This will enable you to promote KPI search changes to another Splunk environment from your custom app context without needing to restore a ITSI backup.
@srauhala_splunk thank you for your response.
do you have any thoughts on my 2nd question..is there any way exclude the entities promotion as part of the backup and restore.
Hi @srauhala_splunk ,
one last question is there any way to exclude the entities while doing full backup ..
and is there any splunk documentation available related to this additional best practices related to splunk ITSI backup and recovery (which you suggested right like maintaining the savedsearches in a separate folder.
@vinothnaga no not to my knowledge. Think your best option is partial backup.
Not that I know of, since this is in regards to configure ITSI to be easier to migrate to another environment, not part of ITSI best practice itself. Here you can find some useful information on ITSI in general https://www.splunk.com/pdfs/getting-started/splunk-getting-started-with-itsi.pdf