Deployment Architecture

Move a VM Search Head to a new physical server

sgarvin55
Splunk Employee
Splunk Employee

Current search head is on a VM. I have set up a new search head now which is on a physical server. Both have search peers set up correctly. The current VM search head has all of the user-specfiic settings, dashboards, searches, views, etc configured. The new physical search head does not.

What specific files do I need to move from the first search head (VM) to the second search head (physical)? (that is, which files under $SPLUNK_HOME/etc need to be moved, and are there any files NOT under $SPLUNK_HOME/etc which need to be moved?

Also, the first Search head is also the license server. What is the best way to move the license over from the first search head to the second and then remove from the first? Do make the second search head the license master, install license there, then re-point my indexers to the new server?

Tags (2)

Damien_Dallimor
Ultra Champion

Have you considered setting up search head pooling using shared storage(NAS, clustered storage etc..) ?

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

Each Search Head has its own private copy of $SPLUNK_HOME/etc/system.

Search Head Pooling allows for synchronized sharing of $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps via shared storage.

Authentication(local, LDAP etc..) must be setup on each Search Head individually.

  • $SPLUNK_HOME/etc/system/local/authorize.conf
  • $SPLUNK_HOME/etc/system/local/authentication.conf
  • $SPLUNK_HOME/etc/passwd (if using local authentication)

Alternatively to setting up pooling as detailed above , you could "rsync" between your 2 Search heads to keep $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps synchronized and the auth related config files in sync.

Regarding the License Server refactoring , I haven't done a migration as you describe, but I don't see any caveats with your approach.

I'll just add that I prefer to use a DNS CName for my Splunk License Server so that I don't need to update my license client's "master_uri" value if I were to move the license server to a new host, I can just update the DNS CName record.

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...