Getting Data In

Upgrading a Splunk 5.0.5 Heavy Forwarder to a 6.x Universal Forwarder, how do we prevent reindexing of all events during migration?

rbal_splunk
Splunk Employee
Splunk Employee

Migrating from a Splunk 5.0.5 Heavy Forwarder to 6.x Universal Forwarder, we want to take over current checkpoints to prevent a reindexing of all events. We tried the msiexec installation parameter migratesplunk=1 and we tried to copy the fishbucket and persistentstorage before and after the setup, but all without success.

What can we do to save the checkpoints due to the migration?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

I have been researching on this issue and the reason you are getting re-indexing again is because of the directory structuring difference between 5.0.5 and 6.x, for which a bug has been raised in the past.

The path for the corressponding versions are as below,

[5.0.5]
$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog

[6.x]
$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog

As the event logs are modular inputs in the version 6 and due to no event logs being in that directory the new instance carries out the re-indexing.

You could try steps below

  1. Stop Splunk
  2. Copy all

"$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog*_checkpoint"

files to

"$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog*".

I.e. copy the checkpoint files to the new modinputs location

  1. Remove the "_checkpoint" suffix in modinputs\WinEventLog\ directory after files are copied over.
  2. Upgrade Splunk (from 5.0.5 to 6.x)

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

I have been researching on this issue and the reason you are getting re-indexing again is because of the directory structuring difference between 5.0.5 and 6.x, for which a bug has been raised in the past.

The path for the corressponding versions are as below,

[5.0.5]
$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog

[6.x]
$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog

As the event logs are modular inputs in the version 6 and due to no event logs being in that directory the new instance carries out the re-indexing.

You could try steps below

  1. Stop Splunk
  2. Copy all

"$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog*_checkpoint"

files to

"$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog*".

I.e. copy the checkpoint files to the new modinputs location

  1. Remove the "_checkpoint" suffix in modinputs\WinEventLog\ directory after files are copied over.
  2. Upgrade Splunk (from 5.0.5 to 6.x)
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...