Install the app on all desired Search Heads (support case required for ES and ITSI on Splunk Cloud Classic).
Then open the app, and click Setup in the navigation bar. Each panel represents a configuration you should change.
Set both the index and host macros, then enable the scheduled search. You can optionally edit the REST endpoints that are backed up.
All this App does is run the following scheduled search daily. It provides a dashboard to help understand whats being backed up.
| rest splunk_server=local /services/apps/local count=0 search=visible=1 | eval x=1, host=coalesce(`search_head_backup_host`,splunk_server) | fields title host x | join max=0 x [| inputlookup search_head_backup_targets.csv | eval x=1] | eval uri="/servicesNS/nobody/".title."/".target | map search="| rest splunk_server=local $uri$ count=0 search=eai:acl.app=$title$ | eval label=\"$label$\" | tojson | fields _raw | collect index=`search_head_backup_index` host=$host$ sourcetype=json_no_timestamp source=$uri$" maxsearches=1000
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.