Hello All,
I have been tasked with building a clustered environment from scratch in PROD. This will be my first. I have only practiced in a test environment and everything is usually good. But, I would like to know any DOs and DONTs if any, or tips to be more successful.
Secondly, Once am done and everything is running how do I connect the old environment to the new one and Transfer or copy rather the same alerts, reports, dashboards, and apps to the new site?
Thanks for your help in advance.
Hi @woodlandrelic,
about the installation, I'haven't anything to add respect the installation and configuration procedure that you followed in test environment, that I suppose is the one described in Splunk on-line documentation.
About Apps, you have to copy all the apps present in your Master Node ($SPLUNK_HOME/etc/master-apps) and copy them in the same location od the new Master Node and deploy them to search peers.
For Search Heads, you have at first to create in the new environment all the roles of the old one.
Then, you have to copy all the Apps (excluding the ones bundled in Splunk installation) from a Search Head (possibly the Captain) and copy them in the Deployer to deploy them to all the Search Heads.
When you'll finish, you'll have a copy of your environment in the new one and you can switch the data flow.
To switch the data flow, you have to modify in each client, using the Deployment Server, the indexers addressing to the new one.
I suppose (it's a best practice) that you have outputs.conf in a dedicated TA, so it's easy to change it.
If you haven't outputs.conf in a dedicated TA but it's in $SPLUNK_HOME/etc/system/local, this is the opportunity to change this approach following these steps:
Ciao.
Giuseppe
Hi @woodlandrelic,
about the installation, I'haven't anything to add respect the installation and configuration procedure that you followed in test environment, that I suppose is the one described in Splunk on-line documentation.
About Apps, you have to copy all the apps present in your Master Node ($SPLUNK_HOME/etc/master-apps) and copy them in the same location od the new Master Node and deploy them to search peers.
For Search Heads, you have at first to create in the new environment all the roles of the old one.
Then, you have to copy all the Apps (excluding the ones bundled in Splunk installation) from a Search Head (possibly the Captain) and copy them in the Deployer to deploy them to all the Search Heads.
When you'll finish, you'll have a copy of your environment in the new one and you can switch the data flow.
To switch the data flow, you have to modify in each client, using the Deployment Server, the indexers addressing to the new one.
I suppose (it's a best practice) that you have outputs.conf in a dedicated TA, so it's easy to change it.
If you haven't outputs.conf in a dedicated TA but it's in $SPLUNK_HOME/etc/system/local, this is the opportunity to change this approach following these steps:
Ciao.
Giuseppe
Hi @gcusello
Thank you so much for the detailed answer. It was such a great help.