Getting Data In

Splunk Migration

eholz1
Contributor

Hello Members,

I have seen many,many posts on splunk migration. I am confused. I hope that I can get some direction on how to accomplish this correctly.

Current splunk install: Windows 2012 running Splunk Ent 8.0.1
New splunk install: RHEL7 x_64 linux running Splunk Ent 8.0.3

I am going from Windws to Linux. I have seen posts where the suggestion is "copy all from $SPLUNK_HOME to the new instance" This does not quite make sense to me - and all the conf files on the Windows side will all have "non-linux" paths using the "\". I have looked at my indexes.conf file, and other conf files and they have the path expressed Windows style.

I have seen another post where you stop the old instance, and copy the buckets to the new instance like this:
1. Roll any hot buckets on the source host from hot to warm.
2. Review indexes.conf on the old host to get a list of the indexes on that host.
3. On the target host, create indexes that are identical to the ones on the source system.
4. Copy the index buckets from the source host to the target host.
5. Restart Splunk Enterprise.

I will assume the 5 steps above would be for all indexes, both custom (in the local directory) and default (in the default directory - i would assume that all windows paths would have to be changed to linux style in the indexes.conf file and the inputs.conf file??

I did a test with a simple index that was created just for testing. I created an indexes.conf file on the new server in the /etc/apps/search/local - revised the paths to linux. Then I copied the \var\lib\splunk\test-index directory to the LINUX machine using the forward-slash paths: "/".

i then performed a search on this new index on the new server and it works fine.

My basic question is if I copy all under $SPLUNK_HOME from windows do I have to change the paths? Or if I try the 5 part list above, does it just mean copy the db data from \var\lib\splunk\ to the new server /var/lib/splunk/, and edit the indexes.conf and inputs.conf files accordingly??

what about the mongo dir??

Thanks so much,

Eholz1 - Eric

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Most of the migration instructions you'll find are for moving to a similar platform. The 5 steps you found are good ones for moving your data. Don't worry about changing file path delimiters, however, because step #3 will write the correct path to the new indexes.conf file.

Don't forget to check the file paths in your other config files.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Most of the migration instructions you'll find are for moving to a similar platform. The 5 steps you found are good ones for moving your data. Don't worry about changing file path delimiters, however, because step #3 will write the correct path to the new indexes.conf file.

Don't forget to check the file paths in your other config files.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...