how move splunk to new windows os?

New Member


what are the steps to move splunk from one windows box to another?
different IP, different name


Tags (2)
0 Karma

Re: how move splunk to new windows os?

Splunk Employee
Splunk Employee

1) Let's say you need to migrate your current Splunk instance from Machine A to Machine B.
2) Install Splunk on Machine B. Keep the install location same between two instance of Splunk
3) Rolling buckets manually from hot to warm on Machine A.For command refer Links

4) Stop Splunk on both Machine A and machine B.

4.1) Copy Data Stores: The default location for data is $SPLUNK_HOME/var/lib/splunk, please copy the entire data store including event data and Splunk internal data. My suggestion will be to use xcopy or move(with /y) command to copy as that will also bring along the permissions. Sample of command can be referred from one of the recent version of Splunk Documentation like, refer section "Move the index database > For Windows users".

Scrub the bucket IDs if necessary. For detail steps refer Link -

4.2)Once the data store is copied , next steps is to copy appropriate configuration, presuming all configuration changes were made in local folders. Copy following folder from source to target.

4.3)In addition , copy existing user’s and there saved search from Machine A to machine B . copy files ta location $SPLUNK_HOME/etc/user

5) Other Important Considerations: Most importantly, if the new machine will be using a different hostname or IP address, ensure that other systems which you expect to communicate with Splunk are updated to reflect the change, including:

-Splunk forwarders
-Distributed search nodes which will request searches of this node
-Network based inputs such as direct syslog inputs
-Any health monitoring tools you use to verify Splunk operation
- If Splunk is installed in a different directory on the new environment, update SPLUNKHOME in etc/splunk-launch.conf, and review all of your configuration for possible use of absolute paths which must be updated.
- If Splunk indexes are not on default loction of ($SPLUNK
HOME/var/lib/splunk), then update SPLUNK_DB in etc/splunk-launch.conf .
-Review any scripted inputs. Verify the paths used to invoke them, whether they will run on the new arch or operating system at all, and whether their dependencies and data inputs are set up and available where they expect them. Test them outside splunk by seeing that something reasonable is sent to standard out.
- For scripted alerts, verify them in the same general manner as scripted inputs.
- For scripted authentication, verify this in the same way.
- For script-based lookups, verify them.
- In case email-based alerting is used, ensure mailserver will accept mail from the new system, and ensure that the new system will have routing, DNS and firewall clearances to reach your mailserver.
-For need for splunk to start on boot, these settings are located outside the Splunk installation so will not be copied over. Be sure to run splunk enable boot-start or manually enable for it to boot on startup.

0 Karma