Dashboards & Visualizations

How do I migrate alerts and dashboards from a search head to an indexer?

Abilan1
Path Finder

Hi,

I would like to move my alerts and dashboards to another server.

  1. Actually we have a separate search head and Indexer now. We are planning to drop our search head and move all the alerts and dashboards to that indexer server. Is it possible? (what are all the folders that need to be copied if we are migrating from one to another?).
  2. If it is not possible, should we have a Search Head for setting up alerts and Dashboards? Is it possible to make that indexer act as a search head as well?

Please suggest. Thank You!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

It's possible to have single instance working as Search Head and Indexer both, something like this-http://docs.splunk.com/Documentation/Splunk/6.2.6/Deploy/Deploymenttoplogies#Departmental

In some deployment, Splunk web is generally disabled on Indexers, check and enable that if not already enabled. (see startwebserver on http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)

Regarding alerts and dashboard, you can find all the alerts in dashboard in following location(s):-

Private User stuffs :      $SPLUNK_HOME/etc/users
Shared (app level/global) stuffs:     $SPLUNK_HOME/etc/apps

Just copy/merge user/app folders from above two location to your Indexer on same location, and restart Indexer.

View solution in original post

seanbarbour
New Member

I have a single system and it works. I would recommend using another machines as the deployment server though.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It's possible to have single instance working as Search Head and Indexer both, something like this-http://docs.splunk.com/Documentation/Splunk/6.2.6/Deploy/Deploymenttoplogies#Departmental

In some deployment, Splunk web is generally disabled on Indexers, check and enable that if not already enabled. (see startwebserver on http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)

Regarding alerts and dashboard, you can find all the alerts in dashboard in following location(s):-

Private User stuffs :      $SPLUNK_HOME/etc/users
Shared (app level/global) stuffs:     $SPLUNK_HOME/etc/apps

Just copy/merge user/app folders from above two location to your Indexer on same location, and restart Indexer.

Abilan1
Path Finder

Hi,

Thank you so much!.. We have already splunk Web enabled on our indexer, If we want to act that as a search head also (to configure alerts and Dashboards), then If we enable search head option from this setting on that Indexer (Distribute Management console>Setup>Edit Server Roles> Enable Search Head) will it be enough? or do we need to perform any other steps?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

That will be it,

0 Karma

Abilan1
Path Finder

Thanks again. I will check and update you from my side.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Alerts and dashboards should be setup in Search Head only. The indexers should have a dedicated roles of indexing and providing data to searches. Any specific reason you want to move them to Indexers?

0 Karma

Abilan1
Path Finder

Hi ,

We are planning to have only one machine for Splunk (Indexer and search head in the same). Is it possible? can we make it to act index server also as a search head?

Thank You!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...