Getting Data In

Migrating Heavy Forwarder to a new server

cnuguri_ncc
Path Finder

Hi All,

I have inherited a HF running on a Linux server collecting data from several cloud sources using the inputs from below TAs, that need to be moved to a newly built Linux server (no Splunk version upgrades).

azure_event_hub
azure_security_center_input
digital_shadows_searchlight
microsoft_graph_security
MS_AAD_audit
MS_AAD_signins
mscs_azure_audit
mscs_azure_resource
splunk_ta_o365_management_activity
windows_defender_atp_alerts

Can you please recommend any procedures and best practices to make sure there is no data duplication ?

Thinking of the below ways, will any of these work and which is better ?

1.

    a. Stop Splunk on old host and copy Splunk directory to new host.
    b. Change the splunk server/instance name to match the new host.
    c. Start splunk on the new host.

2. Install fresh Splunk on new host, and configure TAs, is there a way to move any checkpoints (or something similar to fishbuckets ? ) from the old HF, so that the TAs pull data from where it was stopped on the existing HF ?

Thanks a lot in advance

Chaith

Labels (1)
Tags (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

Best way is to move Splunk app on HF since you have checkpoints for modular inputs.

stop splunk on old instance.

create same splunk user which is used on existing server on new server.

just copy $SPLUNK_HOME to new splunk instance

and change instance name and hostname in 

system/local/server.conf and inkuts.conf if you are going to have new hostname to new server you have configured. You can continue using same hostname if you are decommissioning existing HF.

 

then start splunk on new instance.

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

Best way is to move Splunk app on HF since you have checkpoints for modular inputs.

stop splunk on old instance.

create same splunk user which is used on existing server on new server.

just copy $SPLUNK_HOME to new splunk instance

and change instance name and hostname in 

system/local/server.conf and inkuts.conf if you are going to have new hostname to new server you have configured. You can continue using same hostname if you are decommissioning existing HF.

 

then start splunk on new instance.

————————————
If this helps, give a like below.

cnuguri_ncc
Path Finder

Thanks a lot !

0 Karma

fahmed11
Explorer

Did this work? Did you discover that you had to implement additional steps to make it work?

 

Thanks,
Farhan

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Great. You are welcome.

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...