From 880752214987f3db82caf3682b17e38378148487 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sun, 5 Jan 2025 00:32:10 +0000 Subject: [PATCH] post(splunk-app-update): update title --- .../_posts/{splunk-app-upgrade.md => splunk-app-update.md} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename source/_posts/{splunk-app-upgrade.md => splunk-app-update.md} (82%) diff --git a/source/_posts/splunk-app-upgrade.md b/source/_posts/splunk-app-update.md similarity index 82% rename from source/_posts/splunk-app-upgrade.md rename to source/_posts/splunk-app-update.md index 6f0a92a..0cec926 100644 --- a/source/_posts/splunk-app-upgrade.md +++ b/source/_posts/splunk-app-update.md @@ -1,8 +1,8 @@ --- -title: Updating lookup and dashboard through Splunk app upgrade +title: Updating lookup and dashboard through Splunk app update excerpt: Splunk Cloud and Enterprise behave differently date: 2024-12-12 -updated: 2024-12-20 +updated: 2025-01-05 tags: - splunk --- @@ -31,4 +31,4 @@ In Splunk Enterprise, any change to the lookups of the app package will always r ## Dashboards -In Splunk Cloud, even if a dashboard is never modified through Splunk Web, installing a newer app version does not replace existing ones, as if the dashboard XML in the `default` is automatically copied to the `local` folder upon installation. Since there is no way to delete the dashboards (in order to _restore_ them to the original `default`), the only way I can think of is through app reinstallation (uninstall then install). Since reinstallation is rather drastic as it results in temporary lost of [alerts](https://gitlab.com/curben/splunk-scripts/-/tree/main/threat-hunting) and lookups depended by them, I create separate apps that only have dashboards, then another set of apps for everything else. +In Splunk Cloud, even if a dashboard was never modified through Splunk Web, installing a newer app version does not replace existing ones, as if the dashboard XML in the `default` is automatically copied to the `local` folder upon installation. Since there is no way to delete the dashboards (in order to _restore_ them to the original `default`), the only way I can think of is through app reinstallation (uninstall then install). Since reinstallation is rather drastic as it results in temporary lost of [alerts](https://gitlab.com/curben/splunk-scripts/-/tree/main/threat-hunting) and lookups depended by them, I create separate apps that only have dashboards, then another set of apps for everything else.