Is there a way to combine a search command or dashboard XML along with the indexer data and export it so that it can be imported at another Splunk instance ? This would be helpful for scenarios where a Splunk user wants to see the behavior of Splunk search with indexed data on some other Splunk instance for troubleshooting purposes ?
I admit that this would also introduce issues like indexes to be presented on the new Splunk instance but I assume that the solution will take care of this.
Note : I initially searched Splunk answers for this. I got two threads namely https://answers.splunk.com/answers/221798/exportimport-splunk-project.html and https://answers.splunk.com/answers/88107/export-index-data-from-production-splunk-and-import-intotes... . While they almost match my scenario, the only difference is that I want a Splunk command or an option in GUI as the solution. I don't want to copy directories from one instance to another which is tedious.
The easiest thing to do is just to point your "other Splunk instance" Search Head to the Indexer tier that has the data and then use the
App Exporter app to move the app's KOs from the first Splunk Search Head to the "other Splunk instance" Search Head:
That sounds an interesting approach. I, however, can't try this as both Splunk instances are not connected with each other. Specifically, I am referring to Splunk instances available in mine as well as my friend's laptop. I am looking to transfer the exported data through USB drive.
Thanks for the solution anyway.
in other word, you would reproduce your app and a data subset, correct?
If this is your need, you have to save all your objects (dashboards, fields, eventtypes, etc...) in an App, doing attention to not leave anything as private especially indexes.conf, and then copy this app in the new environment.
To take data, you have two choices: take all logs of the selected indexes or a subset of them.
First choice it's easier because you have to copy from your environment into the new one the full index (directory $SPLUNK_DB/var/lib/splunk/indexname with all subdirectories or the different one you used) beware that the path where index is stored in the new environment is the same of indexes.conf.
Otherwise if you want to extract only a subset of the index data, run your search saving results as not structured data in a file and then load them from the file.