How to migrate 3.X apps to 4.1.X
This topic discusses strategies for migrating your 3.x apps to Splunk 4.x. What you choose to do will vary depending on the contents of your app, so first determine which configurations you will migrate and whether or not they are supported in 4.x. First, familiarize yourself with the new configurations in 4.0 by reading through the 4.0 Installation manual topic on what to expect when migrating to 4.0. Next, read about upgrading to 4.1 in the 4.1 Installation manual.
In a lot of cases, you can reuse knowledge items (event types, source types, and so on) in your 4.x app. You can also use the information in this topic to rebuild useful 3.x apps created by the Splunk community so that they work on your 4.x deployment.
Inputs and other back-end configurations
Most back-end configuration files -- files that specify how your Splunk server works and your data settings -- can be migrated with no problem. These include authentication.conf, authorization.conf, indexes.conf, inputs.conf, outputs.conf, web.conf.
Note that there have been minor changes to these files. If you are not sure whether a specific setting can be migrated, check the spec file.
Deployment server configurations have changed completely and must be migrated by hand.
Knowledge and presentation settings
Most configuration changes from 3.X to 4.0 are to the knowledge (event types, saved searches, etc.) and presentation (Splunk Web appearance) layers. However, the following files can typically be migrated with no problems:
props.conf, transforms.conf, eventtypes.conf, and tags.conf.
If you'd just like to copy over your knowledge from a 3.X app to a 4.0 app, you can clone the Search app, and then copy in your event types, tags, props, transforms and other knowledge settings. Note that you must migrate saved searches by hand (as described below).
Saved searches and form searches
Saved searches and form searches have been modified significantly and must be migrated by hand. You can copy over your savedsearches.conf, or copy in the search string through Splunk Manager. Splunk will migrate these searches, but there are a few things you will need to edit, such as any leftover
:: in fields and deprecated search commands. If you want your saved search to be displayed in a dashboard, you will have to add the search to the dashboard, this will create a view state for your new search. Form searches must be created through the new view system -- you cannot migrate your old form search over through savedsearches.conf. Read more about Forms: an introduction in this manual.
4.0 introduces a new object model that sets permissions for all apps and objects (saved searches, reports, views, event types, etc). Once you've migrated your 3.X App to 4.0, set permissions on your app either through Splunk Manager or by adding a default.meta file by hand to your app's directory. Find further instructions on how to set app permissions in this manual.
Note: If you've copied in configurations to Splunk by hand (without using Splunk Web) then you must set permissions so the configurations will show up in Splunk Web.
If your application is simply a data provider for use in other applications such an firewall scraper app, you may want to just export its configuration globally.
This example takes the Web Activity app from SplunkBase (located here).
This app contains a savedsearches.conf and a bundle.conf. The saved searches can be migrated into a new app for 4.0 but the bundle.conf is deprecated. Use app.conf instead. Here are step-by-step instructions for migrating this app:
1. Create a new app directory. You can use App Builder, which will automatically create a default.meta, app.conf and other files for you, as well as the entire app directory structure. If you prefer, you can also create a directory by hand in
$SPLUNK_HOME/etc/apps/. For example, create a directory
$SPLUNK_HOME/etc/apps/web_activity_4. Make sure you add the requisite files (app.conf, default.meta).
2. Copy the old savedsearches.conf into your new app's default directory:
$SPLUNK_HOME/etc/apps/web_activity_4/default/savedsearches.conf. You can also copy all the saved searches search strings into Splunk Manager by hand.
3. Edit your saved searches to make sure they work in 4.0, specifically change any instances of :: to =. For example
sourcetype=access. Note that there may be some other issues with your saved searches. Splunk Web will alert you of any issues and you can edit your searches directly through Splunk Manager.
4. Save your edited saved searches. You may need to restart Splunk for your new app to show up.
5. Create new dashboards or edit existing dashboards to showcase your newly migrated saved searches.
Setup screen example with user credentials
What's changed for app developers in 4.2
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7