Installation

Any insight on migrating several Splunk instances into one?

tc641
New Member

The scope of my task is to create a plan to migrate multiple Splunk instances. This includes but is not limited to:

  • sourcetypes
  • indexes
  • alerts
  • apps
  • I don't think I'm migrating old data but I know how to if necessary.
  • searches
  • lookups

I have all the locations for the relevant config files and I believe the easiest thing to do would just be to copy the contents of the config files on the host to the source then do the relevant restarts/apply cluster-bundles. Is this the best way to do it?

The hosts are different versions but later than 5.0 and they are on both linux and windows servers.

Are there any considerations I need to think about - other than the "Considerations for migrating Splunk Enterprise" section in migrating a splunk instance?

I feel like as there are so many different versions deprecated features should just be dealt with in a case by case basis. So check all searches/alerts after migrating and if one of them has broken fix it.

Any advice would be appreciated I am a noob

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi tc641,
At first I suggest to you to plan your intervene on a chart before start to work on the new Splunk instance:

  • identify if there are one or more apps,
  • list all items that you have in all your hosts, eventually didived by app,
  • group them by app and thematic (indexes, sourvcetypes, ...),
  • merge results in one config file for each app,
  • copy config files of $SPLUNK_HOME/etc/system/local folder and then test your configuration,
  • copy apps in $SPLUNK_HOME/etc/apps and test them.

Beware to:

  • reports, alerts and savedsearches,
  • users and groups; maybe it could be safer to create from scratch using the same searches and the same parameters than to copy in config files.

Beware to SSL and certificates,if you use them.
Beware to paths (Windows and Linux).

Data must be managed in a different way:

  • identify which data you need to restore,
  • extract data to restore from old indexes in raw format
  • identify target indexes (they could be the same or different ones),
  • load extracted data in the new indexes,
  • test data.

Anyway, the most important thing is to plan all the items before starting! otherwise, you can be sure thet there will be some errors!

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi tc641,
At first I suggest to you to plan your intervene on a chart before start to work on the new Splunk instance:

  • identify if there are one or more apps,
  • list all items that you have in all your hosts, eventually didived by app,
  • group them by app and thematic (indexes, sourvcetypes, ...),
  • merge results in one config file for each app,
  • copy config files of $SPLUNK_HOME/etc/system/local folder and then test your configuration,
  • copy apps in $SPLUNK_HOME/etc/apps and test them.

Beware to:

  • reports, alerts and savedsearches,
  • users and groups; maybe it could be safer to create from scratch using the same searches and the same parameters than to copy in config files.

Beware to SSL and certificates,if you use them.
Beware to paths (Windows and Linux).

Data must be managed in a different way:

  • identify which data you need to restore,
  • extract data to restore from old indexes in raw format
  • identify target indexes (they could be the same or different ones),
  • load extracted data in the new indexes,
  • test data.

Anyway, the most important thing is to plan all the items before starting! otherwise, you can be sure thet there will be some errors!

Bye.
Giuseppe

0 Karma

tc641
New Member

Thanks for your reply. This adds a bit of detail which was very much needed.

0 Karma

woodcock
Esteemed Legend

If you are already clustered, then just add a new Indexer, wait for rebalance, then kill an old one. Do this over and over until you have nothing but new Indexers.

0 Karma

tc641
New Member

Hey 🙂 would it be possible if you could give a bit more info on this -- I opened a new questions specifically relating to this https://answers.splunk.com/answers/568070/how-to-migrate-a-lot-of-old-data.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...