Solved: How do I migrate alerts and dashboards from a sear...

Abilan1 · ‎02-09-2016

Hi,

I would like to move my alerts and dashboards to another server.

Actually we have a separate search head and Indexer now. We are planning to drop our search head and move all the alerts and dashboards to that indexer server. Is it possible? (what are all the folders that need to be copied if we are migrating from one to another?).
If it is not possible, should we have a Search Head for setting up alerts and Dashboards? Is it possible to make that indexer act as a search head as well?

Please suggest. Thank You!

somesoni2 · ‎02-10-2016

It's possible to have single instance working as Search Head and Indexer both, something like this-http://docs.splunk.com/Documentation/Splunk/6.2.6/Deploy/Deploymenttoplogies#Departmental

In some deployment, Splunk web is generally disabled on Indexers, check and enable that if not already enabled. (see startwebserver on http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)

Regarding alerts and dashboard, you can find all the alerts in dashboard in following location(s):-

Private User stuffs :      $SPLUNK_HOME/etc/users
Shared (app level/global) stuffs:     $SPLUNK_HOME/etc/apps

Just copy/merge user/app folders from above two location to your Indexer on same location, and restart Indexer.

View solution in original post

seanbarbour · ‎04-14-2016

I have a single system and it works. I would recommend using another machines as the deployment server though.

somesoni2 · ‎02-10-2016

It's possible to have single instance working as Search Head and Indexer both, something like this-http://docs.splunk.com/Documentation/Splunk/6.2.6/Deploy/Deploymenttoplogies#Departmental

In some deployment, Splunk web is generally disabled on Indexers, check and enable that if not already enabled. (see startwebserver on http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)

Regarding alerts and dashboard, you can find all the alerts in dashboard in following location(s):-

Private User stuffs :      $SPLUNK_HOME/etc/users
Shared (app level/global) stuffs:     $SPLUNK_HOME/etc/apps

Just copy/merge user/app folders from above two location to your Indexer on same location, and restart Indexer.

Abilan1 · ‎02-10-2016

Hi,

Thank you so much!.. We have already splunk Web enabled on our indexer, If we want to act that as a search head also (to configure alerts and Dashboards), then If we enable search head option from this setting on that Indexer (Distribute Management console>Setup>Edit Server Roles> Enable Search Head) will it be enough? or do we need to perform any other steps?

somesoni2 · ‎02-10-2016

That will be it,

Abilan1 · ‎02-10-2016

Thanks again. I will check and update you from my side.

somesoni2 · ‎02-09-2016

Alerts and dashboards should be setup in Search Head only. The indexers should have a dedicated roles of indexing and providing data to searches. Any specific reason you want to move them to Indexers?

Abilan1 · ‎02-10-2016

Hi ,

We are planning to have only one machine for Splunk (Indexer and search head in the same). Is it possible? can we make it to act index server also as a search head?

Thank You!

How do I migrate alerts and dashboards from a search head to an indexer?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes