We have a splunk prod instance server and there were few non-prod indexes as well.
We are into a process to move the non-prod instance for splunk out of the prod instance.
Please help me know what steps do I follow to get the apps and all the data migrated from prod to non-prod server.
Below are the tasks which I did.
(1) installed splunk on the new server.
(2) from its UI console added a non-prod splunk license.
(3) modified the DB_Splunk link so that all the indexes will be stored at heigher created partition.
(4) copy pasted the apps folder from the prod instance sever, but I am still unable to see the app in the non-prod instance.
Please suggest any possible steps I should follow for the migration.
After copy-pasting apps into the apps folder you will need to restart Splunk.
To copy index data, stop the source splunk or make sure there is no more data coming in to the index and no remaining hot bucket, copy buckets to new splunk, restart new splunk.
Thanks Martin for your text.
I have installed new Splunk using Splunk user but still some files are having root as owner and group user.
Apart before installing Splunk I edited the splunk-launch conf file pointing it to the data partition but it seems the buckets are created for only root user.
I am pretty much messedup with the access and right related things as well.
if there is any document or process available I'll be more than obliged for you.
Thanks again for your answer above.
It seems you had splunk running as root, or copied over files as root at some point in the past.
Stop splunk, chown -R the entire splunk directories to your splunk user and splunk group, make sure the splunk-launch.conf contains the correct splunk user (typically
./bin/splunk enable boot-start -user splunk), and restart splunk.
Thanks Marin you replied like an angel and things are totally resolved it seems....
thanks a ton for your responses.