- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Need advice on consolidating Search heads ( US...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need advice on consolidating Search heads ( USERS, Searches, Apps, etc )
I thought I would get some expert advice before manually moving Users Searches Dashboards from one SH to another.
I would like to automagically move Users, etc from one SH to another.
The Moving SH is v 6.3.1 to Destination SH is v 6.6.4, not sure how that will affect the outcome.
Also this is not a SH cluster setup (on the Destination SH) and not predicted to become a SH cluster situation.
Any advice appreciated. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would simply install the older version of Splunk on the new server, copy over the entire Splunk directory to the new server and then perform an in place upgrade.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes to this. But also be aware that you'll need to do some additional work to manually migrate any kvstores.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply.
I like your suggestion, however the I need to retain reports, alerts, etc on the 6.3.1 instance which are not on the 6.6.4.
The goal was to upgrade 6.3.1 to 6.6.4 and then move everything to the original 6.6.4 search head.
Please advise if you are still monitoring this question.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @Log_wrangler,
i think there are couple of ways to go about it, but here is how i will do it, as i will try and use this opportunity to check which user cares about her searches.
1. make sure all the saved searches / dashboards / reports / alerts are within app level permissions
2. grab all the savedsearches.conf files from all the apps and create a single savedsearches.conf file
3. take all the .xml files from all apps, path $SPLUNK_HOME/etc/apps/<some_app>/<default_or_local>/data/ui/views and place them together in a temp folder (make sure there arent any naming conflicts).
4. create a new app and name it "migration" or something of that notion.
5. place all .xml files in the same created path in the new app
6. place savedsearches.conf in the new app
7. move the app to new search head
couple of other points:
1. might need to move other configurations that the searches depends upon like: props.conf, lookups, other items
2. make sure the new app has global permission
3. let everyone know where their "stuff" is now
4. if needed, help users migrate their items to new apps on new search head
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
