Getting Data In
Highlighted

Splunk Migration

Path Finder

Hello Members,

I have seen many,many posts on splunk migration. I am confused. I hope that I can get some direction on how to accomplish this correctly.

Current splunk install: Windows 2012 running Splunk Ent 8.0.1
New splunk install: RHEL7 x_64 linux running Splunk Ent 8.0.3

I am going from Windws to Linux. I have seen posts where the suggestion is "copy all from $SPLUNK_HOME to the new instance" This does not quite make sense to me - and all the conf files on the Windows side will all have "non-linux" paths using the "\". I have looked at my indexes.conf file, and other conf files and they have the path expressed Windows style.

I have seen another post where you stop the old instance, and copy the buckets to the new instance like this:
1. Roll any hot buckets on the source host from hot to warm.
2. Review indexes.conf on the old host to get a list of the indexes on that host.
3. On the target host, create indexes that are identical to the ones on the source system.
4. Copy the index buckets from the source host to the target host.
5. Restart Splunk Enterprise.

I will assume the 5 steps above would be for all indexes, both custom (in the local directory) and default (in the default directory - i would assume that all windows paths would have to be changed to linux style in the indexes.conf file and the inputs.conf file??

I did a test with a simple index that was created just for testing. I created an indexes.conf file on the new server in the /etc/apps/search/local - revised the paths to linux. Then I copied the \var\lib\splunk\test-index directory to the LINUX machine using the forward-slash paths: "/".

i then performed a search on this new index on the new server and it works fine.

My basic question is if I copy all under $SPLUNK_HOME from windows do I have to change the paths? Or if I try the 5 part list above, does it just mean copy the db data from \var\lib\splunk\ to the new server /var/lib/splunk/, and edit the indexes.conf and inputs.conf files accordingly??

what about the mongo dir??

Thanks so much,

Eholz1 - Eric

0 Karma
Highlighted

Re: Splunk Migration

SplunkTrust
SplunkTrust

Most of the migration instructions you'll find are for moving to a similar platform. The 5 steps you found are good ones for moving your data. Don't worry about changing file path delimiters, however, because step #3 will write the correct path to the new indexes.conf file.

Don't forget to check the file paths in your other config files.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.