Getting Data In

How to migrate a Splunk 4.2.3 Windows installation to Splunk 6.2.7 on Linux?

sheltomt
Path Finder

To start, I've already reviewed Google's results for this, and I just need to clarify a few things. We're trying to go from a base 4.2.3 install to a 6.2 install. I've seen that I need to do:

Upgrade to 4.3.7
Upgrade to 5.0.14
Upgrade to 6.2.7

What I'm assuming here is that I install base 4.2.3 on my Linux box, copy my existing directory structure over from Windows, I'm assuming starting at C:\Program Files\Splunk, and then put it on Linux straight as is. Is that correct? Then run the upgrades on Linux obviously.

What if I were to do a totally fresh 6.2.7 install on the Linux box, and cut production over. So it's building indexes from scratch, right from the cut-over time. Could I then somehow bring my old indexes from 4.2.3 over and integrate them for history? Or how would that even work?

I'm trying to figure out how to migrate 700GB of data over without losing any up time, as we are very highly dependent on our log tracking.

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

You probably want to :
- backup your config (the $SPLUNK_HOME/etc/ folder) to be able to revert if needed.
- upgrade your windows install to 6.2.7 by steps , that way all your indexes will be ready
- setup the linux server, with a vanilla 6.2.7 (the tar.gz installer is quite easy to use)

then start the migration :
- copy the indexes ($SPLUNK_HOME/var/lib by default, if this has been customized, edit indexes.conf)
- copy the configurations (apps in etc/apps, and custom system in etc/system/local)
- then to make sure you overwrite all the defaults, I recommend to untar a new 6.2.7 over

final touch :
- update your inputs.conf if you had windows paths init
- update your indexes.conf if you had windows path it it
- check your inputs of you need open firewall ports
- check your etc/system/local for any server names or host names to fix
- start splunk and check that you can search the indexes.
- update your apps

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

You probably want to :
- backup your config (the $SPLUNK_HOME/etc/ folder) to be able to revert if needed.
- upgrade your windows install to 6.2.7 by steps , that way all your indexes will be ready
- setup the linux server, with a vanilla 6.2.7 (the tar.gz installer is quite easy to use)

then start the migration :
- copy the indexes ($SPLUNK_HOME/var/lib by default, if this has been customized, edit indexes.conf)
- copy the configurations (apps in etc/apps, and custom system in etc/system/local)
- then to make sure you overwrite all the defaults, I recommend to untar a new 6.2.7 over

final touch :
- update your inputs.conf if you had windows paths init
- update your indexes.conf if you had windows path it it
- check your inputs of you need open firewall ports
- check your etc/system/local for any server names or host names to fix
- start splunk and check that you can search the indexes.
- update your apps

0 Karma

sheltomt
Path Finder
  • upgrade your windows install to 6.2.7 by steps , that way all your indexes will be ready

Thank you, precisely what I was looking for, just needed to know if I had to upgrade the indexes with the install

I got all the rest of the info from various Google hits, but I really appreciate you putting them all in one place

0 Karma

jkat54
SplunkTrust
SplunkTrust

Since all of the previous versions of splunk are available to you... why not setup a development environment in AWS or Azure to test this before proceeding?

Test all of your questions.

See if you can just drop a 4.3.7 index into a 5.0.14 indexer... etc. I wouldnt just take someones advice on the interwebs if this is so critical.

I'd even go so far as to test it with real data. Copy your entire 4.3.7 solution to a development environment, and proceed from there. Perhaps its time your organization created a Dev, QA, Prod type of architecture starting with your migration... you'll copy prod to dev... do upgrades... write the processes and proceedures in a deployment/upgrade document... then you promote the changes that work.

Dont forget to make the other teams sign off on your work in dev/qa before promoting! This way when you get to production and a dashboard doesnt work, you can show it doesnt work in dev/qa but they approved. CYA.

You can also talk to your Splunk rep about a "QA/DEV" license for this upgrade. They'll give you whatever you need free of charge to insure you're able to upgrade successfully, and test everything without violating your license.

0 Karma

sheltomt
Path Finder

I'm not in an environment where I can do those types of tests.

0 Karma

jkat54
SplunkTrust
SplunkTrust

... you mean you cant go home and purchase an AWS account to insure your career? Are you trapped by your employer? Is this a cry for help? Should we send Interpol? Please do yourself a favor and at least try deving this out in your own personal development environment. You dont have to have the data to make sure the process works. Make sure you raise the red flags and say this isnt the best approach.. .we should have dev/qa, etc. Just because they dont want to hear it doesnt mean you cant stand up for whats considered best practices. At least make yourself look experienced.

0 Karma

sheltomt
Path Finder

Dude, as much as I appreciate what you're trying to do here, it's totally misguided.

The main question is "can I bring old indexes into an upgraded system"

That should not be a question I have to test myself in my own lab, as someone should have done this before.

I'm not as concerned about the upgrade path, as yes, that's something I can test, but I figured someone could also easily answer that as well.

I'm not "the splunk guy". My whole career does not depend on this. This is simply a Jira ticket that I have in my queue that I need to get done in the next 6 months, and I'm pre-planning for it for best course of action.

I figured someone had done this before, that's all.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Actually you asked 3 questions and im just commenting so now I'll just leave you with...

read the documentation.

http://docs.splunk.com/Documentation/Splunk/6.2.7/Installation/Aboutupgradingto6.2READTHISFIRST
http://docs.splunk.com/Documentation/Splunk/6.0.3/Installation/Aboutupgradingto6.0READTHISFIRST

Your lack of comprehension of the scope of this "jira ticket" is why you're arguing with me.

There's so much more to consider than just if you can drag and drop indexes.

Oh its super critical, but I dont want to take advice from someone who's been in IT for 17 years, architecting splunk for 6 years... instead I'll just down vote their comments.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Youd do better to escalate the ticket.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I say do it right or dont do it at all. I'll walk away from a client in a heartbeat because there's way too many organizations looking for splunk candidates for me to waste my time in a IT department stuck in the '90s. They'll suck the life out of you.

If they cant afford qa, then they'll never be able to afford prod.

If they cant facilitate QA due to network segmentation or some weird crap... they'll never facilitate Prod. Environments should match as perfectly as possible, etc. oh its 4gb here and 32gb in prod... well guess what? you messed up! Do it right or go home with your whining about things being down for a few days/weeks. When it breaks during an upgrade or deployment, dont you go working 12 - 18 hours per day trying to fix it. You keep your normal schedule and you keep your sanity. Dont let them burn you out because they cant architect a proper solution.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...