Ahh okay that makes sense with the \ to /.

I want all saved searches and dashboards etc to be migrated with here obviously, so would copying the entire etc folder be the way to go? Will have to fix the pathing is pretty tedius but nessesary.

This search head cant reach the index server (which is still windows) but it should still be able to start the splunk service right? Just so i can see that dashboards etc are there?

Hi @michaelnorup,

as I said, my hint is to manually configure SH to reach IDX, but it should find it also with the old configuration.

About savedsearches and dashboards (and I'd add also props, transforms, eventtypes, tags and so on...) you can move them copying the etc/apps folder.

Beware to one point that I forgot in my previous answer: you have to move also the etc/user folder containing eventual objects created by users and not shared in apps or globally.

Ciao.

Giuseppe

I should be able to just copy the ENTIRE splunk/etc/ folder right? Then just change all the \ to / and be good?

About about users and roles? That should be good aswell? Some of them come from AD, but if the new server has an AD connection it should assign the roles fine right?

Hi @michaelnorup,

yes, you can copy the entire $SPLUNK_HOME/etc folder, but if the new hostname if different than the old one, you have to manually replace the hostname value in:

• $SPLUNK_HOME/etc/system/local/server.conf
• $SPLUNK_HOME/etc/system/local/inputs.conf

roles are in $SPLUNK_HOME/etc/system/local/authorize.conf, users, as all unix systems, are in $SPLUNK_HOME/etc/passwd: you can manually copy those files from the old environment or manually add to the new system.

Ciao.

Giuseppe

Hi

one hints. If/when you are copied $SPLUNK_HOME/etc from (any) other node do it before splunk installation on target. Or at least install the same splunk version after copy again with force to ensure that all configurations on default directories are linux not windows versions! After that it's enough to check those configurations only in local directories and also all additional apps which you have installed on windows nodes.

r. Ismo

Alright.

/system/local/authorize.conf and /passwd should also come if i just copy the entire /etc/ folder though right?

Good idea to change the hostname there aswell ;D


One last question.

Is it possible to first migrate the Search Head and the Deployment server to Linux and keep the indexer on windows? Just to test if users, roles, dashboards etc still work, before migrating the indexer aswell?
Or is that a big ol mess, with having windows/linux mixed like that?
Thanks !

Hi @michaelnorup,

it's mandatory that servers with the same role have the same OS, but you eventually could use Windows only for Indexers but I don't like this for two reasons:

• at first I didn't see any Splunk production infrastructure on Windows!
• there isn't any reason or advantage to have some roles on Linux and some others on Windows!

So I hint to choose an OS for all roles and use it, and I hint to avoid Windows, for the reasons I explaind in the previous messages.

You can temporary use a mixed OS for the time requested fo migration but not for production.

Ciao.

Giuseppe