Thanks for the detailed response. The Lookup table process makes sense ... With regards to the first part, restoring a dashboard ... Since this is a dashboard created by a user via the UI, it wouldn't be something we'd typically bundle in an app ... I'm thinking that maybe the best way to handle this would be:
Pick a cluster member, login and shutdown the UI
Restore the file to its original directory
Restart Splunk
Check to see if the dashboard is now visible on that cluster member
Check another cluster member ... if the dashboard isn't visible, then edit and save the dashboard on the member where you restored it, and then check the other cluster members ... my guess would be that it'll now have been replicated to them.
( That probably sounds convoluted )
Anyway, thanks so much for your help.
... View more