Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best way to copy the $Splunk_Home/etc/apps/xx/local/ directories from existing Search head cluster (7.0.x version) to new Search head Cluster using deployer in 7.3.0 version

kchaitanya
Explorer
‎09-06-2019 04:08 AM

Can Some one suggest the best approach to follow while migrating the Knowledge Objects from a existing Search head cluster running on 7.0.x version to a new Search head cluster running on 7.3.0 version .. I am specifically looking for information on how to make use thne deployer_push_mode or any other best practices to follow

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎09-06-2019 08:19 PM

@harsmarvania57 mentioned my script https://github.com/gjanders/Splunk/blob/master/bin/transfersplunkknowledgeobjects.py it was literally built for this purpose prior to 7.3.x, however 7.3.x includes push modes.

As per:
https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_...

You could use "full" push mode to get the local directories over, so the process would be copy from existing search heads the default/local/metadata et cetera and get that onto your deployer.
Then a full push, then personally I'd wipe the local off the deployer and switch back to merge_to_default or your preferred push mode. Note that you can control push mode per app according to the documentation...

If you pushed the deployer bundle and left it on the default mode of merge_to_default then files on the search head end up in default and you cannot deleted saved searches from the search head UI or similar so obviously you want to avoid that scenario.

I'm making the assumption that you want identical config on the new cluster, if you want more filtering either use my script or you could be selective with what you copy over to the deployer.
Note my script had limitations due to the API, for example you cannot copy a lookup file so either way that involves the deployer.

Good luck

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎09-06-2019 08:19 PM

@harsmarvania57 mentioned my script https://github.com/gjanders/Splunk/blob/master/bin/transfersplunkknowledgeobjects.py it was literally built for this purpose prior to 7.3.x, however 7.3.x includes push modes.

As per:
https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_...

You could use "full" push mode to get the local directories over, so the process would be copy from existing search heads the default/local/metadata et cetera and get that onto your deployer.
Then a full push, then personally I'd wipe the local off the deployer and switch back to merge_to_default or your preferred push mode. Note that you can control push mode per app according to the documentation...

If you pushed the deployer bundle and left it on the default mode of merge_to_default then files on the search head end up in default and you cannot deleted saved searches from the search head UI or similar so obviously you want to avoid that scenario.

I'm making the assumption that you want identical config on the new cluster, if you want more filtering either use my script or you could be selective with what you copy over to the deployer.
Note my script had limitations due to the API, for example you cannot copy a lookup file so either way that involves the deployer.

Good luck

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

kchaitanya
Explorer
‎09-10-2019 07:51 AM

Thank you very much for the reply. .Yes.. i believe the deployer_push_mode = full will work for the local directories and we need to wipe them off and create an emplty local directory with the default push mode

Even the default directory on the current SHs have some KOs merged .. How can we get them on to new shc ... Do you suggest placing the Savedsearches.conf under /apps/default/xxx on existing SHC to be placed on new Deployer's shcluster/app/xx/local/ and pushed with the default mode ?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎09-10-2019 04:04 PM

Well if you are happy with the way it is now you could just pull the default directory from the search heads and push it via the deployer, that way it is the same as it is now.

Alternatively you could take the default/local from the deployer and then merge in the local from the search heads, this might take a little bit more effort as you might have to actually merge the files rather than just copy...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-06-2019 07:20 AM

Have a look at python script https://github.com/gjanders/Splunk/blob/master/bin/transfersplunkknowledgeobjects.py , created by @gjanders . This will help you to migrate knowledge objects from one instance to another using REST API.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎09-06-2019 05:32 AM

This may help:
https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCrollingupgrade

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...