Deployment Architecture

How to copy configurations from the search head, heavy forwarder, and indexer cluster in one environment to a new environment?

New Member

I have a distributed 6.2.3 setup with a single Search head, an Indexer cluster and a single Heavy Forwarder. This environment is pretty "dirty" (it's in a lab for testing so it gets abused) so I have built new 6.2.3 (have to stay on this version) servers and want to copy the configuration from the dirty environment to the new environment. Basically I want server settings, licensing, authentication, clustering, distributed search... I don't care about apps and add-ons, indexes, saved searches, etc.

I recognize in copying some of the files that edits may be necessary, for example, IPs and hostnames will be different.

Is this feasible, reasonable, or am I going about this wrong? If this is the way to go, I'm not sure what files need to be copied... don't want all of $SPLUNK_HOME/etc.

Your feedback and assistance is appreciated.


0 Karma


The diag command can collect the config files into a tarball that you can copy to the new systems. You can control what data it collects. See

If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!