icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Knowledge Object Sync(KOS)
SHA256 checksum (knowledge-object-synckos_202.tgz) 7c0c46f2f7b4fb6f34b0ed79ff7d1d1b0071e8f0f0f650e6c26584c63842db88 SHA256 checksum (knowledge-object-synckos_201.tgz) fa1ad5454a8c95ba610e905d948128dbd5b15c6926471b3e1b166563ffeb16e4 SHA256 checksum (knowledge-object-synckos_200.tgz) f3e4b7eb5215360c23f64e5df25b8ef64b464a09046a87533fddb60ec09f9364
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Knowledge Object Sync(KOS)

Splunk Cloud
Overview
Details
* Description *
Using KOS you can verify if all your Knowledge Objects(KO) were moved correctly and with the same content(search,data,etc.)
This works if you are migrating from on-prem to on-prem of on-prem to the cloud

* Setup *
Splunk Enterprise:
Go to Manage Apps > Browse more Apps > Look for Knowledge Object Sync(KOS) and install it

Splunk Cloud:
Go to Manage Apps > Browse more Apps > Look for Knowledge Object Sync(KOS) and install it

* Help *
While this app is not formally supported, the developer can be reached at cbran@bitsioinc.com (OR in splunk-usergroups slack, Christhian Bran (C)). Responses are made on a best-effort basis. Feedback is always welcome and appreciated!
(if you use the User Group approach, include: Learn more about splunk-usergroups slack here: https://docs.splunk.com/Documentation/Community/current/community/Chat#Join_us_on_Slack)

Instructions

Prerequisites

Before installing this app, the following needs to be addressed.
Export these lookups, here is an example if the environment is called cloud-test:

| rest splunk_server=local /servicesNS/-/-/data/ui/views | fields eai:acl.sharing, eai:acl.app, disabled, label, title, eai:acl.owner eai:data updated
-> LOOKUP: cloud-test_all_dashboards.csv

| rest splunk_server=local /servicesNS/-/-/saved/searches | fields eai:acl.app title is_scheduled eai:acl.owner eai:acl.sharing search updated
-> LOOKUP: cloud-test_all_saved_searches_src.csv

| rest splunk_server=local /servicesNS/-/-/data/props/extractions | fields title eai:acl.app, eai:acl.owner,eai:acl.sharing author attribute value updated
-> LOOKUP: cloud-test_all_field_extraction_src.csv

| rest splunk_server=local servicesNS/-/-/saved/eventtypes | fields eai:acl.app,eai:acl.owner,eai:acl.sharing,search,tags,title, updated
-> LOOKUP: cloud-test_all_eventtypes_src.csv

| rest splunk_server=local /servicesNS/-/-/search/tags | fields title updated
-> LOOKUP: cloud-test_all_tags.csv

| rest splunk_server=local /servicesNS/-/-/datamodel/model | fields title eai:acl.app, eai:acl.owner,eai:acl.sharing,description,updated
-> LOOKUP: cloud-test_all_datamodel_src.csv

| rest splunk_Server=local /servicesNS/-/-/data/lookup-table-files | fields title eai:acl.app, eai:acl.owner,eai:acl.sharing,updated
-> LOOKUP: cloud-test_all_lookup_src.csv

| rest splunk_server=local /servicesNS/-/-/configs/conf-macros | fields title eai:acl.app eai:acl.owner eai:acl.sharing definition args disabled updated
-> LOOKOUP: cloud-test_all_macros_src.csv

| rest splunk_server=local /servicesNS/-/-/data/ui/panels |fields eai:acl.owner, eai:acl.app, eai:acl.sharing, eai:data, panel.title, title, updated, disabled
-> LOOKOUP: cloud-test_all_panels_src.csv

| rest splunk_server=local /servicesNS/-/-/apps/local | fields label title
-> LOOKUP: cloud-test_all_apps_src.csv

| rest splunk_server=local /servicesNS/-/-/authentication/users | fields email realname title type
-> LOOKUP: cloud-test_all_users_src.csv

| rest /servicesNS/-/-/authorization/roles |fields capabilities, imported_capabilities, imported_roles, srchIndexesAllowed,srchIndexesDefault,title |mvexpand imported_roles
-> LOOKUP: cloud-test_all_roles_src.csv

| rest splunk_server=local /servicesNS/-/-/authorization/roles | fields capabilities, imported_capabilities, imported_roles, title,srchIndexesAllowed,srchIndexesDefault,title |mvexpand srchIndexesAllowed
-> LOOKUP: cloud-test_all_roles_src_indexes.csv

| rest splunk_server=IDX /services/data/indexes | search title!="_*" |fields title, updated
-> LOOKUP: cloud-test_all_indexes_src.csv

| rest splunk_server=local /servicesNS/-/-/saved/sourcetypes |fields title
-> LOOKUP: cloud-test_all_sourcetypes_src.csv

| rest splunk_server=local /servicesNS/-/-/admin/(SAML|LDAP)-groups | fields title roles type
-> LOOKUP: cloud-test_all_groups_src.csv

Install

This app should be installed on Search Heads
https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/Experience Install the app. For Splunk Cloud, refer to Install apps in your Splunk Cloud deployment. For customer managed deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install.

Configuration

Make sure you are sc_admin and share the lookups to this app only.

Usage

Content Validation V2:
This Panel will make sure all titles are migrated.
src = on-prem
dest = Splunk Cloud/on-prem destination
If src=true and dest=true, this means the KO titles were migrated successfully.
Inputs:
Exclude: Click on the apps you don’t want to see populating.
Missing: By default is set up to true in order to check all missing KOs.
Content: Select if you would like to see all content(User, global and app) or just User content or any user content.
Environment: Click on the stack name(Remember to replace lookup) or setup the static value
Select the KO you would like to see(By default Savedsearches are gonna show up)

Update Validation:
Type a date and Splunk will check the updated KOs since this date.
Data Validator:
Here you can check if all buckets from on-prem were migrated.
Check the source and pre-requisites, then assign the correct name to the lookup
Useful dashboards:
Event Parser: Parse your data using the magic 8.
Data Quality: Check the sourcetypes with issues and use this dashboard to identify better and faster the main issues.

Known Issues

See the release notes of the latest version for known issues

Troubleshooting Steps

If no information is returned, make sure you renamed the lookup correctly.
If Lookup is correct, this means all content was migrated successfully.
If you make sure everything is migrated but user content is showing up, until the user logs in, this content will disappear from the search.
If you click on the panel, it will show another search that is comparing the content of the title(This would only check existing content on both environments).

Upgrade

No special instructions for upgrading this app to a newer version.

Help

While this app is not formally supported, the developer can be reached at cbran@bitsioinc.com (OR in splunk-usergroups slack, @Christhian Bran). Responses are made on a best effort basis. Feedback is always welcome and appreciated!
(if you use the User Group approach, include: Learn more about splunk-usergroups slack here: https://docs.splunk.com/Documentation/Community/current/community/Chat#Join_us_on_Slack)

Release Notes

Version 2.0.2
Aug. 29, 2022

Included Home Page in order to export lookups easier.
Improved the Data quality panel
Removed the ford-qa default vairable

Version 2.0.1
Aug. 17, 2022

Improved several Panels and searches

Version 2.0.0
Aug. 1, 2022

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.