Getting Data In

Upgrading a univeral forwarder to a heavy weight forwarder

Path Finder

I need to upgrade a forwarder from a universal to a heavy weight one. Now I could just blow away my instance and start again however that would mean that all the data from the files would be resent. I don't want to change the inputs.conf with followTail as these are not under my control. So could just copy my old fish bucket to the new installation and it would work?

Tags (1)

Path Finder

We want to upgrade a splunk universal forwarder to heavy forwarder and also it should have the same fishbucket the universal forwarder contains.

After upgrade the heavy forwarder should start reading data from point where universal forwarder stopped.

Would the following method work?

  1. Fresh install of the splunk heavy forwarder
  2. Copy fishbucket database and persistentstorage ($SPLUNK_HOME/var/lib/splunk/*) from UF into same location of newly installed heavy forwarder.
  3. Copy inputs.conf and outputs.conf from UF into HWF
  4. Deploy necessary props.conf and transforms.conf to HWF

Biggest concern is if we can copy the fishbucket database from UF to the HWF.

0 Karma

Path Finder

According to the folks at Hurricane Labs, the above method/steps should work:

0 Karma


Given that a universal fowarder installs to /opt/splunkforwarder (or seems to in the system I am looking at for example) I believe a universal forwarder configuration can live alongside a heavy forwarder.

One problem is that /etc/init.d/splunk would get changed to point to the heavy fowarder in /opt/splunk so making certain that the universal forwarder is shut down before installing/configuring the heavy forwarder seems the way to go.

This is what I'm planning on doing with a syslog forwarder.

0 Karma

Super Champion

When it comes to the configuration files, you should be able to copy them from one to the other.

First you should stop the forwarder and copy the entire home directory as a backup.

Install the heavy forwarder on top of the universal forwarder if you can - I've never done it, so I'm not sure that works.

Populate the local folders with those from your Universal Forwarder backup.

Copy the fish bucket to the correct location on the heavy forwarder. So long as you are not switching from 32 to 64 bit it should not be a problem.

If the Heavy Forwarder installs to a new splunk_home, then unistall the Universal Forwarder.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...