topic Re: How to move Enterprise Security to new search head in Splunk Enterprise Security

How to move Enterprise Security to new search head

jonathanpeckham — Tue, 15 Oct 2019 17:15:36 GMT

I'm planning on moving the Enterprise Security app from one search head to another; search heads are not clustered.
Has anyone done this that can give me the process that worked for you?

Re: How to move Enterprise Security to new search head

ivanreis — Wed, 30 Sep 2020 02:37:59 GMT

I ran a move procedure on Splunk Enterprise and ITSI, but I did not play around Enterprise Security, but I expect this procedure also work for your purpose

The procedure was:
- deploy the splunk enterprise to the new server, use the same version you have on the existing server
- tar the entire $SPLUNK_HOME/etc folder from the existing splunk Enterprise security server, but I recommend to stop the splunk service first, just to avoid any change from customers
- Stop the splunk service at new server
- copy the tar file to the new server at $SPLUNK_HOME/etc folder
- Stop Splunk service on the current Splunk Enterprise server
- Copy the bundle file from $SPLUNK_HOME/var/run from the existing server to the new one on the same path. Bundle file should be something like this servername-1570745614.bundle
- Start splunk service on the new server
- Monitor for any error message of lack of configuration issues

Before you run this procedure, stop the existing Splunk server, run a full backup of etc, just to make sure if you the last updated configuration/apps in case you have any issues, you can recover from the point where everything is working properly on the current splunk environment.

Re: How to move Enterprise Security to new search head

woodcock — Wed, 16 Oct 2019 00:47:39 GMT

It is pretty easy.

Copy the entire `$SPLUNK_HOME/etc/*` and `$SPLUNK_HOME/var/run` directory space.
Restart Splunk.
Install `TA-synckvstore` and sync every kvstore from the old to the new search head.

This all presumes that you setup Splunk and ES correctly the first time (i.e. all index and summaries are on your indexers).

Re: How to move Enterprise Security to new search head

jonathanpeckham — Fri, 18 Oct 2019 17:20:39 GMT

Thanks for the reply. Would backing up/restoring the kvstore work the same as the TA-synckvstore app? Looks like that app hasn't been updated in a while.

Re: How to move Enterprise Security to new search head

woodcock — Fri, 18 Oct 2019 17:26:44 GMT

Yes, but the Splunk backup does EVERYTHING; the TA allows you to be selective.

Re: How to move Enterprise Security to new search head

jonathanpeckham — Fri, 18 Oct 2019 17:29:27 GMT

Ah, gotchya. Thanks!

I'll work this in my change and come back to rate the answers after I've completed the move.

Re: How to move Enterprise Security to new search head

MayurMangoli — Wed, 15 Nov 2023 04:26:09 GMT

Hello @woodcock,

i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/SplunkEnterpriseSecuritySuite directory into new SH, will this work with.??