Deployment Architecture

Why am I getting this error when Migrating from windows to linux?

michaelnorup
Communicator

So i am in the process of migrating a distributed setup with 1 search head, 1 deployment/license server and 1 index server.

I am starting with just testing on the searchhead.

I have installed a fresh install of splunk enterprise on a new linux machine.

After that i zipped the splunk/etc folder from the windows machine, copied to the linux, unzipped and replaced the splunk/etc folder there.
This new linux splunk server doesnt have a connection to the other servers yet.
When i am trying to start it i get the following error:

michaelnorup_0-1648193370008.png

Any ideas?

 

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

as you can see in the message, there are some paths in your conf files woth the windowsformat "\" instead in Linux you have to use slash "/".

SO, you have to check your conf files and manually modify the ones with windows path.

Obviously beware to nopt modify the paths in the apps to deploy using the DS.

My hint is to have a different approach:

  • you have a very simple distributed architecture,
  • install from scratch you three machines,
  • manually cinfigure your Search Head to use the Indexer,
  • manually configure SH and DS to send their lohs to IDX,
  • copy from the old IDX, SH and DS the following folders:
    • DS: deployment_apps and eventually system/local,
    • IDS: apps and eventually system/local,
    • SH: apps and eventually system/local,
  • Any other eventual customized confs (e.g. customized scripts).

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

as you can see in the message, there are some paths in your conf files woth the windowsformat "\" instead in Linux you have to use slash "/".

SO, you have to check your conf files and manually modify the ones with windows path.

Obviously beware to nopt modify the paths in the apps to deploy using the DS.

My hint is to have a different approach:

  • you have a very simple distributed architecture,
  • install from scratch you three machines,
  • manually cinfigure your Search Head to use the Indexer,
  • manually configure SH and DS to send their lohs to IDX,
  • copy from the old IDX, SH and DS the following folders:
    • DS: deployment_apps and eventually system/local,
    • IDS: apps and eventually system/local,
    • SH: apps and eventually system/local,
  • Any other eventual customized confs (e.g. customized scripts).

Ciao.

Giuseppe

0 Karma

michaelnorup
Communicator

Ahh okay that makes sense with the \ to /.

I want all saved searches and dashboards etc to be migrated with here obviously, so would copying the entire etc folder be the way to go? Will have to fix the pathing is pretty tedius but nessesary.

This search head cant reach the index server (which is still windows) but it should still be able to start the splunk service right? Just so i can see that dashboards etc are there?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

as I said, my hint is to manually configure SH to reach IDX, but it should find it also with the old configuration.

About savedsearches and dashboards (and I'd add also props, transforms, eventtypes, tags and so on...) you can move them copying the etc/apps folder.

Beware to one point that I forgot in my previous answer: you have to move also the etc/user folder containing eventual objects created by users and not shared in apps or globally.

Ciao.

Giuseppe

michaelnorup
Communicator

I should be able to just copy the ENTIRE splunk/etc/ folder right? Then just change all the \ to / and be good?

About about users and roles? That should be good aswell? Some of them come from AD, but if the new server has an AD connection it should assign the roles fine right?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

yes, you can copy the entire $SPLUNK_HOME/etc folder, but if the new hostname if different than the old one, you have to manually replace the hostname value in:

  • $SPLUNK_HOME/etc/system/local/server.conf
  • $SPLUNK_HOME/etc/system/local/inputs.conf

roles are in $SPLUNK_HOME/etc/system/local/authorize.conf, users, as all unix systems, are in $SPLUNK_HOME/etc/passwd: you can manually copy those files from the old environment or manually add to the new system.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

one hints. If/when you are copied $SPLUNK_HOME/etc from (any) other node do it before splunk installation on target. Or at least install the same splunk version after copy again with force to ensure that all configurations on default directories are linux not windows versions! After that it's enough to check those configurations only in local directories and also all additional apps which you have installed on windows nodes.

r. Ismo

0 Karma

michaelnorup
Communicator

Alright.

/system/local/authorize.conf and /passwd should also come if i just copy the entire /etc/ folder though right?

Good idea to change the hostname there aswell ;D


One last question.

Is it possible to first migrate the Search Head and the Deployment server to Linux and keep the indexer on windows? Just to test if users, roles, dashboards etc still work, before migrating the indexer aswell?
Or is that a big ol mess, with having windows/linux mixed like that?
Thanks !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

it's mandatory that servers with the same role have the same OS, but you eventually could use Windows only for Indexers but I don't like this for two reasons:

  • at first I didn't see any Splunk production infrastructure on Windows!
  • there isn't any reason or advantage to have some roles on Linux and some others on Windows!

So I hint to choose an OS for all roles and use it, and I hint to avoid Windows, for the reasons I explaind in the previous messages.

You can temporary use a mixed OS for the time requested fo migration but not for production.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...