Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Move a VM Search Head to a new physical server

sgarvin55
Splunk Employee
Splunk Employee
‎01-09-2012 01:14 PM

Current search head is on a VM. I have set up a new search head now which is on a physical server. Both have search peers set up correctly. The current VM search head has all of the user-specfiic settings, dashboards, searches, views, etc configured. The new physical search head does not.

What specific files do I need to move from the first search head (VM) to the second search head (physical)? (that is, which files under $SPLUNK_HOME/etc need to be moved, and are there any files NOT under $SPLUNK_HOME/etc which need to be moved?

Also, the first Search head is also the license server. What is the best way to move the license over from the first search head to the second and then remove from the first? Do make the second search head the license master, install license there, then re-point my indexers to the new server?

Tags (2)
Reply

Damien_Dallimor
Ultra Champion
‎01-09-2012 07:24 PM

Have you considered setting up search head pooling using shared storage(NAS, clustered storage etc..) ?

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

Each Search Head has its own private copy of $SPLUNK_HOME/etc/system.

Search Head Pooling allows for synchronized sharing of $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps via shared storage.

Authentication(local, LDAP etc..) must be setup on each Search Head individually.

  • $SPLUNK_HOME/etc/system/local/authorize.conf
  • $SPLUNK_HOME/etc/system/local/authentication.conf
  • $SPLUNK_HOME/etc/passwd (if using local authentication)

Alternatively to setting up pooling as detailed above , you could "rsync" between your 2 Search heads to keep $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps synchronized and the auth related config files in sync.

Regarding the License Server refactoring , I haven't done a migration as you describe, but I don't see any caveats with your approach.

I'll just add that I prefer to use a DNS CName for my Splunk License Server so that I don't need to update my license client's "master_uri" value if I were to move the license server to a new host, I can just update the DNS CName record.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...