Splunk® App for Content Packs

Overview of the Splunk App for Content Packs

This documentation does not apply to the most recent version of Splunk® App for Content Packs. For documentation on the most recent version, go to the latest release.

Upgrade Splunk App for Content Packs to version 2.x

If you have installed a previous version of Splunk App for Content Packs, you can upgrade it to the latest version.

Be sure to perform the steps below for obtaining and backing up saved search status BEFORE installing version 2.0. of Splunk App for Content Packs.

Get the Status of Saved Searches before Upgrade

All saved searches of Splunk App for Content Packs v2.0 are deactivated by default.

Because Splunk App for Content Packs v2.0 has saved searches deactivated by default, we strongly recommend keeping a backup of current saved searches status.

Run the following search to get the status of the saved searches. You can export the results of this search and refer to it for updating the status of saved searches after upgrading to Splunk App for Content Pack version 2.0.

| rest /servicesNS/-/-/saved/searches
| search eai:acl.app="DA-ITSI-CP-*"
| eval Status=if(disabled == 0, "Enabled", "Disabled")
| rename eai:acl.app as "Content Packs", title as "Saved Search"
| table "Content Packs", "Saved Search", Status
| sort +"Content Packs", +"Saved Search"

Search results show the saved searches and status of the saved searches grouped by content pack, as in the following screenshot.

Example saved search showing grouping by content pack

Modify Status of Saved Searches after Upgrade

After you upgrade to Splunk App for Content Packs v2.0, the saved searches that had previously been activated by default will be deactivated.

You can modify all the saved searches of selected content pack in the following ways:

  • Activate all the saved searches
  • Deactivate all the saved searches
  • Retain current status of saved searches

To modify status of saved searches, navigating to the installation page of required content pack from Data Integrations → Content Library. For detailed steps, refer to the Install and Configure documentation of the content pack.

Clean up obsolete entity searches

Run a search command to clean up obsolete searches as described in the Entity Integrations Manual. This is required to ensure that the disabled/deleted entity discovery search does not contribute to the Entity Status calculation.

Last modified on 06 February, 2024
Overview of the Splunk App for Content Packs   Install the Splunk App for Content Packs

This documentation applies to the following versions of Splunk® App for Content Packs: 2.1.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters