Splunk ITSI

Is it possible to export ITSI Services?

theprophet01
Explorer

I'm looking to export Service from Splunk ITSI however, there is no direct export feature in the GUI (at least within the Services page). Is there any other way to export ITSI services?

Labels (2)
0 Karma
1 Solution

spavin
Path Finder

Hi @theprophet01,

If you have a itoa_admin role,  you can export services, entities, glass tables, KPI searches, templates etc from the following menu:

Configuration > Backup/Restore

  1. Click Create Job > Create Backup Job
    spavin_0-1712291776650.png

     

  2. Select Partial Backup, give it a name and description, uncheck include conf files, then click next
    spavin_1-1712291844210.png

     

  3. Select the services you'd like to backup
    spavin_2-1712291884281.png

     

  4. Click Save and Backup
    spavin_3-1712291906331.png

     

  5. You will be taken to the Backup/Restore jobs page, where your job will be queued. When it's finished, usually after a few minutes, you can download the backup as a zip. 

  6. Go to the same page on a different Splunk instance to restore it - this time select Restore Job and upload the zip file.

 

See the capabilities here: https://docs.splunk.com/Documentation/ITSI/4.18.1/Configure/Capabilities

You'll need the ones listed under "Backup/Restore" which by default is only given to itoa_admin.

View solution in original post

proyleJDS
Path Finder

A search like this will also give you an output that would allow you to practically clone a service tree

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
  • Replace <old> and <new> at the end to make new service names
  • Use the "Create Service" Import from Search option with this search to make a clone of your service tree.
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id
| eval service_name=replace(service_name,"<old>","<new>"),dependent_services=replace(dependent_services,"<old>","<new>")

 

spavin
Path Finder

Hi @theprophet01,

If you have a itoa_admin role,  you can export services, entities, glass tables, KPI searches, templates etc from the following menu:

Configuration > Backup/Restore

  1. Click Create Job > Create Backup Job
    spavin_0-1712291776650.png

     

  2. Select Partial Backup, give it a name and description, uncheck include conf files, then click next
    spavin_1-1712291844210.png

     

  3. Select the services you'd like to backup
    spavin_2-1712291884281.png

     

  4. Click Save and Backup
    spavin_3-1712291906331.png

     

  5. You will be taken to the Backup/Restore jobs page, where your job will be queued. When it's finished, usually after a few minutes, you can download the backup as a zip. 

  6. Go to the same page on a different Splunk instance to restore it - this time select Restore Job and upload the zip file.

 

See the capabilities here: https://docs.splunk.com/Documentation/ITSI/4.18.1/Configure/Capabilities

You'll need the ones listed under "Backup/Restore" which by default is only given to itoa_admin.

theprophet01
Explorer

this is perfect, thanks @spavin !

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...