We went through an acquisition and both of us have Splunk instances. We want to migrate from our Splunk Cloud instance to their Splunk on premise Enterprise instance. Do I only need to change the output.conf files on the forwarders to point to the Enterprise instance? The current forwarders are unfortunately a CentoS linux version I have not worked with before. Thank you.
Yes, you have to send an updated outputs.conf to the forwarders. Generally this is done through a deployment server. If your PS guys were good, they deployed a
deploymentclient.conf app through the deployment server which should also update so that it points to the new DS.
I don't know how you managed your installation in the past but the best way is to create an App containing two files:
The first one contains the address of the Deployment Server and the second one contains the addresses of the Indexers.
In this way, you can manage configuration change in only one point.
So, now the questions are:
If you already have a Deployment Server, you have to create an app with the above files and deploy it to all the forwarders.
If you haven't a DS (or another tool), you have to manually manage this deploy and it isn't a good idea.
If the above files are in $SPLUNK_HOME/etc/systel/local, you have to delete them and deploy the above app, if they already are in an app, it's very easy because you have only to change the IP addresses (or the DNS name) of the new Indexers in outputs.con and of the DS in deploymentclient.conf.
Before to start this job, check if all the ports between Forwarders and Indexers (usually 9997) and Deployment Server (usually 8089) are open.