Deployment Architecture

How to copy configurations from the search head, heavy forwarder, and indexer cluster in one environment to a new environment?

New Member

I have a distributed 6.2.3 setup with a single Search head, an Indexer cluster and a single Heavy Forwarder. This environment is pretty "dirty" (it's in a lab for testing so it gets abused) so I have built new 6.2.3 (have to stay on this version) servers and want to copy the configuration from the dirty environment to the new environment. Basically I want server settings, licensing, authentication, clustering, distributed search... I don't care about apps and add-ons, indexes, saved searches, etc.

I recognize in copying some of the files that edits may be necessary, for example, IPs and hostnames will be different.

Is this feasible, reasonable, or am I going about this wrong? If this is the way to go, I'm not sure what files need to be copied... don't want all of $SPLUNK_HOME/etc.

Your feedback and assistance is appreciated.


0 Karma


The diag command can collect the config files into a tarball that you can copy to the new systems. You can control what data it collects. See

If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!