Deployment Architecture

Need advice on consolidating Search heads ( USERS, Searches, Apps, etc )


I thought I would get some expert advice before manually moving Users Searches Dashboards from one SH to another.

I would like to automagically move Users, etc from one SH to another.

The Moving SH is v 6.3.1 to Destination SH is v 6.6.4, not sure how that will affect the outcome.

Also this is not a SH cluster setup (on the Destination SH) and not predicted to become a SH cluster situation.

Any advice appreciated. Thank you!

Tags (2)
0 Karma


I would simply install the older version of Splunk on the new server, copy over the entire Splunk directory to the new server and then perform an in place upgrade.


Yes to this. But also be aware that you'll need to do some additional work to manually migrate any kvstores.

0 Karma


Thank you for your reply.

I like your suggestion, however the I need to retain reports, alerts, etc on the 6.3.1 instance which are not on the 6.6.4.

The goal was to upgrade 6.3.1 to 6.6.4 and then move everything to the original 6.6.4 search head.

Please advise if you are still monitoring this question.

Thank you

0 Karma

Ultra Champion

hello @Log_wrangler,

i think there are couple of ways to go about it, but here is how i will do it, as i will try and use this opportunity to check which user cares about her searches.
1. make sure all the saved searches / dashboards / reports / alerts are within app level permissions
2. grab all the savedsearches.conf files from all the apps and create a single savedsearches.conf file
3. take all the .xml files from all apps, path $SPLUNK_HOME/etc/apps/<some_app>/<default_or_local>/data/ui/views and place them together in a temp folder (make sure there arent any naming conflicts).
4. create a new app and name it "migration" or something of that notion.
5. place all .xml files in the same created path in the new app
6. place savedsearches.conf in the new app
7. move the app to new search head

couple of other points:
1. might need to move other configurations that the searches depends upon like: props.conf, lookups, other items
2. make sure the new app has global permission
3. let everyone know where their "stuff" is now
4. if needed, help users migrate their items to new apps on new search head

hope it helps

0 Karma


Thank you for your reply.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! &#x1f44f; Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: CFP Site: CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...