Deployment Architecture

How do I migrate custom field extractions to my new Splunk server?

swackhap
Explorer

I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well. How do I do that?

Thanks, Swack

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

All custom configurations are stored in "local" subfolders in the $SPLUNK_HOME/etc directory. You can simply copy over the relevant custom configuration files from the older server. Be sure you do not copy over the $SPLUNK_HOME/etc/system/local/server.conf or $SPLUNK_HOME/etc/system/local/inputs.conf wholesale (you might have to do so directly), as those contain the specific server names. Other configurations you may have to make determinations based on differences between servers.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

All custom configurations are stored in "local" subfolders in the $SPLUNK_HOME/etc directory. You can simply copy over the relevant custom configuration files from the older server. Be sure you do not copy over the $SPLUNK_HOME/etc/system/local/server.conf or $SPLUNK_HOME/etc/system/local/inputs.conf wholesale (you might have to do so directly), as those contain the specific server names. Other configurations you may have to make determinations based on differences between servers.

swackhap
Explorer

Perfect! Found what I was looking for at $SPLUNK_HOME/etc/apps/search/local/props.conf. I copied it over to the same location on the new server and restarted splunk, and I see all my field extractions! Woohoo! You saved me! Thanks gkanapathy!

0 Karma

Lowell
Super Champion

You will have to check all your apps folders, not just the "system" folder which was noted as an example. You should look through all folders that match the pattern $SPLUNK_HOME/etc/apps/*/local/*.conf Although, most likely, your customization will be in the "search" app.

0 Karma

swackhap
Explorer

Thanks! I looked in the suggested location, and I see these files:
README authentication.conf inputs.conf server.conf web.conf alert_actions.conf eventtypes.conf migration.conf tenants.conf
None of them have the field extractions I'm looking for though. 😞 Where else might they be stored?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...