Getting Data In

Upgrading a Splunk 5.0.5 Heavy Forwarder to a 6.x Universal Forwarder, how do we prevent reindexing of all events during migration?

rbal_splunk
Splunk Employee
Splunk Employee

Migrating from a Splunk 5.0.5 Heavy Forwarder to 6.x Universal Forwarder, we want to take over current checkpoints to prevent a reindexing of all events. We tried the msiexec installation parameter migratesplunk=1 and we tried to copy the fishbucket and persistentstorage before and after the setup, but all without success.

What can we do to save the checkpoints due to the migration?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

I have been researching on this issue and the reason you are getting re-indexing again is because of the directory structuring difference between 5.0.5 and 6.x, for which a bug has been raised in the past.

The path for the corressponding versions are as below,

[5.0.5]
$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog

[6.x]
$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog

As the event logs are modular inputs in the version 6 and due to no event logs being in that directory the new instance carries out the re-indexing.

You could try steps below

  1. Stop Splunk
  2. Copy all

"$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog*_checkpoint"

files to

"$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog*".

I.e. copy the checkpoint files to the new modinputs location

  1. Remove the "_checkpoint" suffix in modinputs\WinEventLog\ directory after files are copied over.
  2. Upgrade Splunk (from 5.0.5 to 6.x)

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

I have been researching on this issue and the reason you are getting re-indexing again is because of the directory structuring difference between 5.0.5 and 6.x, for which a bug has been raised in the past.

The path for the corressponding versions are as below,

[5.0.5]
$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog

[6.x]
$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog

As the event logs are modular inputs in the version 6 and due to no event logs being in that directory the new instance carries out the re-indexing.

You could try steps below

  1. Stop Splunk
  2. Copy all

"$SPLUNK_HOME\var\lib\splunk\persistentstorage\WinEventlog*_checkpoint"

files to

"$SPLUNK_HOME\var\lib\splunk\modinputs\WinEventlog*".

I.e. copy the checkpoint files to the new modinputs location

  1. Remove the "_checkpoint" suffix in modinputs\WinEventLog\ directory after files are copied over.
  2. Upgrade Splunk (from 5.0.5 to 6.x)
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...