Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding existing standalone search heads to a cluster

arunkuriakose
Explorer
‎01-27-2025 11:07 PM

Hi Team

We have a deployment with 3 standalone search heads . One of them have ES running on it. We are planning to introduce a new server as a deployer and make this 3 search head clustered. 

Question:

1. Is it possible to add these exisitng search heads to a cluster or should we copy all configs then create new search heads and copy the configs to all?

If this is the only possibility what are the recommendations and challenges ? Can we take a backup of  full /etc/apps  and then deploy new search heads-> add to cluster-> replicate /etc/apps. Is this approach?

 

Any heads up will be appreciated 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2025 01:20 AM

Hi @arunkuriakose ,

it's always a best practice to have all the ES customizations in a custom app, in this way it's easier to migrate it.

In your case, the best approach I hint is to move all of them in a custom app, otherwise, you could copy all the folders of the ES installation on the Deployer, but I'm not so sure that't the correct approach, I'd prefer to use the custom app.

Anyway, the migration process should be:

  • back-up the ES Search Head,
  • configure the Deployer,
  • move all custom configurations (Correlation Searches, Reports, Dashboards, field extractions, custom eventtypes, etc...) in a custom app called e.g. SA-SOC where SA means Supporting Add-On,
  • install ES on the Deployer,
  • copy the SA-SOC app in the Deployer,
  • configure the Search Heads in the Cluster,
  • deploy apps,
  • test your evnvironment.

this is a long job, so it would be the best, if you don't use the ES Search Head in the Cluster but a new machine and you use the stand-alone ES SH it in the meantime you migrate your environment, then at the end you can disable it.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2025 11:45 PM

Hi @arunkuriakose ,

you have to migrate stand alone SHs to a cluster you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.4.0/DistSearch/Migratefromstandalonesearchheads

My special hint is to put much attention to the ES, because it requires a special installation on an SH Cluster:

  • install and configure the Deployer,
  • take all the apps from the SHs and put them on the Deployer,
  • install ES on the Deployer,
  • configure SHs as cluster,
  • deploy apps from the Deployer.

the best approach is that you did all the configurations in ES in a dedicated custom app, not in the ES apps, so you could install from scratch the ES on the Deployer and then deploy all the customization contained in the custom app.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

arunkuriakose
Explorer
‎01-28-2025 12:59 AM

HI @gcusello 

 

Thanks for the quick response.

 

Can you guide me to the any official documentation where they explain about ES migration.

I assume we have to create a custom app for search,ES and then move all the configs related to the app and then once the ES and cluster is built will copy the configs. Am i on the right track

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2025 01:20 AM

Hi @arunkuriakose ,

it's always a best practice to have all the ES customizations in a custom app, in this way it's easier to migrate it.

In your case, the best approach I hint is to move all of them in a custom app, otherwise, you could copy all the folders of the ES installation on the Deployer, but I'm not so sure that't the correct approach, I'd prefer to use the custom app.

Anyway, the migration process should be:

  • back-up the ES Search Head,
  • configure the Deployer,
  • move all custom configurations (Correlation Searches, Reports, Dashboards, field extractions, custom eventtypes, etc...) in a custom app called e.g. SA-SOC where SA means Supporting Add-On,
  • install ES on the Deployer,
  • copy the SA-SOC app in the Deployer,
  • configure the Search Heads in the Cluster,
  • deploy apps,
  • test your evnvironment.

this is a long job, so it would be the best, if you don't use the ES Search Head in the Cluster but a new machine and you use the stand-alone ES SH it in the meantime you migrate your environment, then at the end you can disable it.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top