Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How to migrate 3.X apps to 4.1.X

This topic discusses strategies for migrating your 3.x apps to Splunk 4.x. What you choose to do will vary depending on the contents of your app, so first determine which configurations you will migrate and whether or not they are supported in 4.x. First, familiarize yourself with the new configurations in 4.0 by reading through the 4.0 Installation manual topic on what to expect when migrating to 4.0. Next, read about upgrading to 4.1 in the 4.1 Installation manual.

In a lot of cases, you can reuse knowledge items (event types, source types, and so on) in your 4.x app. You can also use the information in this topic to rebuild useful 3.x apps created by the Splunk community so that they work on your 4.x deployment.

Inputs and other back-end configurations

Most back-end configuration files -- files that specify how your Splunk server works and your data settings -- can be migrated with no problem. These include authentication.conf, authorization.conf, indexes.conf, inputs.conf, outputs.conf, web.conf.

Note that there have been minor changes to these files. If you are not sure whether a specific setting can be migrated, check the spec file.

Deployment server configurations have changed completely and must be migrated by hand.

Knowledge and presentation settings

Most configuration changes from 3.X to 4.0 are to the knowledge (event types, saved searches, etc.) and presentation (Splunk Web appearance) layers. However, the following files can typically be migrated with no problems:

props.conf, transforms.conf, eventtypes.conf, and tags.conf.

If you'd just like to copy over your knowledge from a 3.X app to a 4.0 app, you can clone the Search app, and then copy in your event types, tags, props, transforms and other knowledge settings. Note that you must migrate saved searches by hand (as described below).

Saved searches and form searches

Saved searches and form searches have been modified significantly and must be migrated by hand. You can copy over your savedsearches.conf, or copy in the search string through Splunk Manager. Splunk will migrate these searches, but there are a few things you will need to edit, such as any leftover :: in fields and deprecated search commands. If you want your saved search to be displayed in a dashboard, you will have to add the search to the dashboard, this will create a view state for your new search. Form searches must be created through the new view system -- you cannot migrate your old form search over through savedsearches.conf. Read more about Forms: an introduction in this manual.

Set permissions

4.0 introduces a new object model that sets permissions for all apps and objects (saved searches, reports, views, event types, etc). Once you've migrated your 3.X App to 4.0, set permissions on your app either through Splunk Manager or by adding a default.meta file by hand to your app's directory. Find further instructions on how to set app permissions in this manual.

Note: If you've copied in configurations to Splunk by hand (without using Splunk Web) then you must set permissions so the configurations will show up in Splunk Web.

If your application is simply a data provider for use in other applications such an firewall scraper app, you may want to just export its configuration globally.


This example takes the Web Activity app from SplunkBase (located here).

This app contains a savedsearches.conf and a bundle.conf. The saved searches can be migrated into a new app for 4.0 but the bundle.conf is deprecated. Use app.conf instead. Here are step-by-step instructions for migrating this app:

1. Create a new app directory. You can use App Builder, which will automatically create a default.meta, app.conf and other files for you, as well as the entire app directory structure. If you prefer, you can also create a directory by hand in $SPLUNK_HOME/etc/apps/. For example, create a directory $SPLUNK_HOME/etc/apps/web_activity_4. Make sure you add the requisite files (app.conf, default.meta).

2. Copy the old savedsearches.conf into your new app's default directory: $SPLUNK_HOME/etc/apps/web_activity_4/default/savedsearches.conf. You can also copy all the saved searches search strings into Splunk Manager by hand.

3. Edit your saved searches to make sure they work in 4.0, specifically change any instances of :: to =. For example sourcetype::access becomes sourcetype=access. Note that there may be some other issues with your saved searches. Splunk Web will alert you of any issues and you can edit your searches directly through Splunk Manager.

4. Save your edited saved searches. You may need to restart Splunk for your new app to show up.

5. Create new dashboards or edit existing dashboards to showcase your newly migrated saved searches.

Setup screen example with user credentials
What's changed for app developers in 4.2

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters