Installation

Installing a new Splunk server and restoring data from another splunk server

leobsksd
Explorer

I am installing a new Splunk server on Windows using the trial subscription for now, which may be changed to the free license later.  

I have data from another Splunk for Windows server that I would like to restore to the new instance.  What is the process for doing that?

Thanks,

Leo

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @leobsksd,

do you want to migrate only configurations or also data?

For configurations, you have to copy from the old instance to the new one all the apps you installed and eventually also search and launcer, if you have some configuration in these apps.

if you want also migrate data, you have to:

  • stop bothe the instances,
  • copy the $SPLUNK_HOME\var\lib\splunk folder (or a different one if you used a different $SPLUNK_DB) from the old to the new instance,
  • copy all the indexes.conf files from the old to the new instance,
  • restart Splunk in the new instance.

Only for conclusion: Windows is ok for quick tests or demo, avoid for production systems, use Linux!

Ciao.

Giuseppe

0 Karma

leobsksd
Explorer

I will try standing up a new instance of Splunk and copying over the $SPLUNK_HOME\var\lib\splunk folder to the new installation from the instance of Splunk that I have backed up.  

Will this also copy over the configuration from the old server?  Part of the issue is that the old server had a free license which is violation, which is why I am working to setup a new Splunk server without that problem. 

Good point about Linux.  I may try installing Splunk on that platform and see how it does.

Leobsksd

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @leobsksd,

you have to copy the apps and data, not all the etc folder , especially license!

I suppose that you want to install on a different computer or a different VM, not on the same instance in violation, it will not work:  on Windows you cannot reinstall Splunk on the same server, instead on linux you can install in a different folder, eventually deleting the old one without problems.

Ciao.

Giuseppe

0 Karma

leobsksd
Explorer
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Also remember that the Trial license is granted to a particular party for a particular use (testing the solution to see if it's appropriate for intended purpose) and limited time. Attempts to "prolong" the trial license by moving data to a fresh instance is against license terms. If you need a longer-time trial license, contact your local friendly Splunk Partner.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @leobsksd ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...