Archive

How to complete Splunk Migration from 3 different instances to a new instance?

Mansi24
Path Finder

Hi Splunkers,

We have to migrate our 3 Splunk instances to a whole different new instance. Since Splunk documentation says copy entire contents of $SPLUNK_HOME$ to the new instance but since we have to move 3 different instances to one we can't to do it for all.

Could you please guide me the ideal way for migration to take place. We need to have all apps and data from all the 3 instances to a newer one. Also how should the hardware requirements should be decided.

Please help!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!