Refine your search:

Is it possible to import saved searches from 3.x splunk into 4.x splunk

1

We have a large number of 3.x splunk saved searches that I need to import into our new splunk 4.x distributed search server. I see that the format of the saved searches are very different. Is this at all possible? I would like to avoid having to manually enter each saved search.

Thanks

Ed

asked 15 Jun '10, 20:10

ebailey's gravatar image

ebailey
111
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

Actually, in most cases you can just copy the entire savedsearches.conf file. While 4.x changes settings names, the old ones are still recognized. A slightly more reliable way is to install 4.x over the 3.x instance and start it up, which will run the auto-migration that will update the files.

link

answered 15 Jun '10, 21:15

gkanapathy's gravatar image

gkanapathy ♦
26.4k1622
accept rate: 42%

There are in some places some syntax changes in some more obscure search commands, but those are rare.

(15 Jun '10, 21:16) gkanapathy ♦
0

I found this other posting that might help answer your question. Unfortunately, there will be a little manual work involved.

http://answers.splunk.com/questions/1249/migrating-saved-search-from-3-x-to-4-x

There are also several pages of documentation that describes migrating saved searches on Splunk.com

http://www.splunk.com/base/Documentation/4.0.11/Installation/Whattoexpectwhenupgradingto4.0#What_you_must_migrate_manually

I hope that helps.

link

answered 15 Jun '10, 20:43

Jaci's gravatar image

Jaci ♦
8722217
accept rate: 75%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×200

Asked: 15 Jun '10, 20:10

Seen: 486 times

Last updated: 01 Dec '10, 09:22

Related questions

How can users view their saved searches in Splunk for BlueCoat?

Why do saved splunk searches take up so much memory?

What is the max number of saved searches a splunk server can hold?

Splunk migration: Tips for moving data, saved searches, and reports?

splunk failed to fetch form values for form "saved/searches"

Splunk for Bind ships with a bogus user owning saved searches

Saved Searches

Rename and grouping saved searches.

Splunk could not find a controller to import for the following module: "Splunk.Module.Test".

Copyright © 2005-2012 Splunk, Inc. All rights reserved.