Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrating Heavy Forwarder to a new server

cnuguri_ncc
Path Finder
‎08-07-2020 09:19 AM

Hi All,

I have inherited a HF running on a Linux server collecting data from several cloud sources using the inputs from below TAs, that need to be moved to a newly built Linux server (no Splunk version upgrades).

azure_event_hub
azure_security_center_input
digital_shadows_searchlight
microsoft_graph_security
MS_AAD_audit
MS_AAD_signins
mscs_azure_audit
mscs_azure_resource
splunk_ta_o365_management_activity
windows_defender_atp_alerts

Can you please recommend any procedures and best practices to make sure there is no data duplication ?

Thinking of the below ways, will any of these work and which is better ?

1.

    a. Stop Splunk on old host and copy Splunk directory to new host.
    b. Change the splunk server/instance name to match the new host.
    c. Start splunk on the new host.

2. Install fresh Splunk on new host, and configure TAs, is there a way to move any checkpoints (or something similar to fishbuckets ? ) from the old HF, so that the TAs pull data from where it was stopped on the existing HF ?

Thanks a lot in advance

Chaith

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 09:52 AM

Best way is to move Splunk app on HF since you have checkpoints for modular inputs.

stop splunk on old instance.

create same splunk user which is used on existing server on new server.

just copy $SPLUNK_HOME to new splunk instance

and change instance name and hostname in 

system/local/server.conf and inkuts.conf if you are going to have new hostname to new server you have configured. You can continue using same hostname if you are decommissioning existing HF.

 

then start splunk on new instance.

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 09:52 AM

Best way is to move Splunk app on HF since you have checkpoints for modular inputs.

stop splunk on old instance.

create same splunk user which is used on existing server on new server.

just copy $SPLUNK_HOME to new splunk instance

and change instance name and hostname in 

system/local/server.conf and inkuts.conf if you are going to have new hostname to new server you have configured. You can continue using same hostname if you are decommissioning existing HF.

 

then start splunk on new instance.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

cnuguri_ncc
Path Finder
‎08-10-2020 01:15 AM

Thanks a lot !

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 07:18 AM

Great. You are welcome.

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...