Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the full process to migrate a full Splunk instance (7.0.0) from a server to an another one (Windows Servers 2012 R2) ?

Nieucel
Engager
‎10-16-2017 12:42 AM

My source Splunk server (version 7.0) is physical Windows 2008 R2
My target is a Virtual windows server 2013 R2.
I want to migration the full Splunk solution (apps / index...) from the source to the target.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2017 04:25 AM

Hi Nieucel,
at first check the iops of the new virtaul storege because you could have performance problems passing from a physical server to a virtual appliance (Splunk usually refer a 30% of lost performaces!).
Anyway, the procedure to migrate a Splunk installation over Windows could be the following:

For the application:

  • Install Splunk on the new server (possibly the same of the old one);
  • stop both the servers;
  • copy $SPLUNK_HOME\etc folder from the old server to the new one;
  • restart Splunk on the new server.

For the Indexes, do you have indexes in the same physical server or in an additional LUN?

  • If they are in the same physical server you could copy indexes from the old installation to the new one, if in external LUN, you could attach these LUNs to the new virtual appliance, in both the cases put attention that forder names are the same, obviously you have to work with Splunk stopped.

The problem could be in forwarders addressing because probably they would send logs to the old server: if you can, it should be better to use the same IP address and hostname of the old one (I did it and it's running!); otherwaise you have to change outputs.conf in every forwarder; beware to not restart the old installation before readdressing forwarders because they could send logs to the old server.

I hope to be helpful for you in these few rows.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2017 04:25 AM

Hi Nieucel,
at first check the iops of the new virtaul storege because you could have performance problems passing from a physical server to a virtual appliance (Splunk usually refer a 30% of lost performaces!).
Anyway, the procedure to migrate a Splunk installation over Windows could be the following:

For the application:

  • Install Splunk on the new server (possibly the same of the old one);
  • stop both the servers;
  • copy $SPLUNK_HOME\etc folder from the old server to the new one;
  • restart Splunk on the new server.

For the Indexes, do you have indexes in the same physical server or in an additional LUN?

  • If they are in the same physical server you could copy indexes from the old installation to the new one, if in external LUN, you could attach these LUNs to the new virtual appliance, in both the cases put attention that forder names are the same, obviously you have to work with Splunk stopped.

The problem could be in forwarders addressing because probably they would send logs to the old server: if you can, it should be better to use the same IP address and hostname of the old one (I did it and it's running!); otherwaise you have to change outputs.conf in every forwarder; beware to not restart the old installation before readdressing forwarders because they could send logs to the old server.

I hope to be helpful for you in these few rows.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Nieucel
Engager
‎10-16-2017 07:53 AM

Giuseppe,
Thank you very much for your quick and clear response. I will follow your process.
To answer your question: I have indexes on the same physical server than Splunk master. (lucky).

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎07-30-2018 10:53 AM

I installed splunk in a new directory of Linux and then copied the /etc file over and then re-started splunk from the new directory. I thought I was using the new version of splunk in the new directory. But I looked in the settings and saw that the previous version of splunk was running from the previous directory. 😕 I am not sure this answer really answers everything on moving one splunk instance to a new one while keeping settings in place. 😕

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2018 12:03 PM

Hi Nieucel,
I'm a little confused: in your initial question, you spoke of Windows server, now you're speaking of Linux, what's your Operative System?
If you have Linux, it's easier because you don't need to reinstall Splunk, you can:

  • stop Splunk in the old server;
  • then copy it (all /opt/splunk folder) in the new server;
  • put attention to have the same IP address and hostname of the previous one;
  • run the /opt/splunk/bin/splunk enable boot-start command in the new server in the new server;
  • start splunk.

If you install Splunk in a different folder than the old one, you have to put attention to the splunk-launch.conf file that you can find in /splunk/etc that contains the $SPLUNK_HOME and $SPLUNK_DB variables that you have to modify.

If instead you have a Windows server:

  • if you install in a new server you can use my initial procedure;
  • if instead you install in a different folder of the same server, you have to uninstall Splunk before install the new instance or modify start-up properties to be sure that the correct instance will start;
  • anyway beware to the folders in splunk-launch.conf varibles.

I hoper to be helpful for you.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...