I would like to move my alerts and dashboards to another server.
Please suggest. Thank You!
Alerts and dashboards should be setup in Search Head only. The indexers should have a dedicated roles of indexing and providing data to searches. Any specific reason you want to move them to Indexers?
We are planning to have only one machine for Splunk (Indexer and search head in the same). Is it possible? can we make it to act index server also as a search head?
It's possible to have single instance working as Search Head and Indexer both, something like this-http://docs.splunk.com/Documentation/Splunk/6.2.6/Deploy/Deploymenttoplogies#Departmental
In some deployment, Splunk web is generally disabled on Indexers, check and enable that if not already enabled. (see
startwebserver on http://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf)
Regarding alerts and dashboard, you can find all the alerts in dashboard in following location(s):-
Private User stuffs : $SPLUNK_HOME/etc/users Shared (app level/global) stuffs: $SPLUNK_HOME/etc/apps
Just copy/merge user/app folders from above two location to your Indexer on same location, and restart Indexer.
Thank you so much!.. We have already splunk Web enabled on our indexer, If we want to act that as a search head also (to configure alerts and Dashboards), then If we enable search head option from this setting on that Indexer (Distribute Management console>Setup>Edit Server Roles> Enable Search Head) will it be enough? or do we need to perform any other steps?
I have a single system and it works. I would recommend using another machines as the deployment server though.