Exporting a single custom content item

Export a single custom content item, such as a custom rule or a saved search, from IBM QRadar.

Before you begin

You must know the unique identifier for the custom content item that you want to export. For information about finding the unique identifiers for content items, see Searching for specific content items to export.

Procedure

Us SSH to log in to QRadar as the root user.

Go to the /opt/qradar/bin directory and type the command to export the content:

./contentManagement.pl -a export -c [content_type] -i [content_identifier]

Parameters:

Table 1. contentManagement.pl script parameters for exporting a single content item
Parameter	Description
-c `[content_type]` or --content-type `[content_type]`	Specifies the type of content to export. Type the corresponding text identifier or numeric identifier for specific content types.
-m `<DOMAIN>` --domain `<DOMAIN>`	Specifies a domain name to export only the reference data associated directly with the specified domain. Any other keys or elements in the reference data collection are excluded. If the `domain` parameter is not supplied when a reference data collection is exported, all reference data in the collection is exported. In this situation, the reference data is exported under the assumption that the `-e/--include-reference-data-elements` parameter is provided, independent of the domain association. Attention: The `domain` parameter is relevant only when you export the reference data.
-e or --include-reference-data-elements	Set this flag to include reference data keys and elements in the export. Reference data keys and reference data elements are applicable to the `referencedata` content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.
-g or --global-view	Includes accumulated data in the export.
-i `[content_identifier]` or --id `[content_identifier]`	Specifies the identifier of a specific instance of custom content such as a single report or a single reference set.
-o `[filepath]` or --output-directory `[filepath]`	Specifies the full path to the directory where the export file is written. If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.
-t `[compression_type]` or --compression-type `[compression_type]`	Used with the `export` action. Specifies the compression type of the export file. Valid options are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.

Examples:

To export the dashboard that has ID 7 into the current directory, type the following command:
```
./contentManagement.pl -a export -c dashboard -i 7
```
To export the log source that has ID 70, including accumulated data, into the /store/cmt/exports directory, type the following command:
```
./contentManagement.pl -a export -c sensordevice -i 70 -o /store/cmt/exports -g
```

Results

The content is exported to a compressed .zip file. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported. You can manually change the file name to a name that is more descriptive.