Recovering Deleted or Overwritten Dashboards in Splunk
By Aaron Dobrzeniecki, Senior Splunk Consultant
Have you ever been in a situation where you are heads down, grinding on your work, when you accidentally delete or overwrite a very crucial dashboard? If so, no need to panic! We have a resolution to recover your important dashboard.
Accidentally deleting dashboards in Splunk can be a nerve-wracking experience, especially for those who rely on these powerful tools for monitoring and analyzing critical data. In this blog post, we’ll explore one very powerful way for you to recover your Splunk dashboard (the XML code) inside of Splunk’s internal logs.
This use case came about when I was working with a customer on his high-level management dashboards. My customer had been working on these dashboards for higher ups for about 2 weeks, inputting critical information and designing his dashboards to show only the points of interest. Once he realized he had overwritten his dashboard, panic set it. He immediately reached out to me for a solution to recover his dashboard. As I had seen this issue before, I immediately dipped into my bag of searches and tricks, digging for a solution to his problem.
Find Old XML Coding
The search below will provide insight and OLD xml coding to your previously saved dashboard.
index=_internal dashboard_shortname sourcetype=splunkd_conf data.payload_extra=*
Let me breakdown the search to give a little bit more insight.
Obviously we are searching the internal index of Splunk, so make sure someone has access to this index as this is where the code is stored for dashboards. The dashboard_shortname is the name of your dashboard when you see it in the Splunk URL. Please see the example below:
Example URL: https://organization.splunkcloud.com/en-US/app/search/data_quality?form.time_picker.earliest=-24h%40h
data_quality is the dashboard shortname for this example
Including the sourcetype of splunkd_conf will assist with making the search results return quicker. Finally, data.payload_extra, this field is crucial when recovering previously overwritten dashboard code. This is the field where the XML code is kept in the internal event.
I took one of my dashboards and purposely overwrote it for this post. Please see the overwritten code of my dashboard in the screenshot below:
I was able to use the search I created above to find the newly overwritten xml code. I will use the same exact search to find the original xml code for my dashboard. Any time before 10:55AM ET on June 17 and after 10:53AM ET, I will be able to find my original code.
NOTE: For your xml code to show up in the internal logs, you need to save your dashboard. I saved my original code at exactly 10:54 AM ET, and then overwrote it. Please see the original code for my dashboard below:
Not only does this save you time, effort, and stress, but it is a great way to recover any mistakes made onto your dashboard.
In conclusion, recovering dashboards is essential for keeping data monitoring and analysis smooth and reliable. By having good backup and recovery plans, companies can reduce downtime and prevent data loss, making sure their important information stays accurate. Regularly updating and testing these plans, and using the right recovery tools, will help handle unexpected problems better. In the end, being prepared for dashboard recovery helps create a stable and secure data system, allowing businesses to make smart decisions and stay productive.
Read more about TekStream Splunk Services here.