I have a situation where we're rolling out a new Splunk deployment on replacement hardware, and I want to start with a fresh install of Splunk, sans many of the no-longer-needed hacks that the previous instance is riddled with throughout its configuration. This means I will not be migrating over the entire $SPLUNK_HOME directory, so far only user information and saved searches, which I already know how to do.
Regarding the migration of indexes, I found the following thread:
The answers for which state that only the defaultdb folder need be copied over to successfully migrate the main index from one instance to another. However, this information was in reference to 4.0.1/4.1.3, and I am wondering - is it still accurate? The var/lib/splunk directories seem to differ quite considerably between our two instances at the moment, which is what gives me pause.
This seems to describe how to change the filesystem location of the entire index db within a single instance. I have two separate and distinct instances, residing on different hardware, and I'd like to know if backing up the defaultdb folder on one instance and restoring it on the other is sufficient to migrate only the main index. Previous discussion seems to suggest this, but it's two major versions old.