Installation

Migrate an Existing Splunk Instance to Another Existing Splunk Instance.

I_am_Jeff
Communicator

I want to migrate away from an existing Splunk (version 4.1.5) instance to an existing Splunk (v4.3.4) instance. I've looked at http://wiki.splunk.com/Deploy:Migrating_a_Splunk_Install, but it is discusses migrating to a new Splunk instance.

My concern is finding and moving my users' saved searches to the 4.3.4 instance. The primary objective is they should be owned by the same user, with the same permissions. Naturally some users won't exist, but the saved searches are still of value. The 4.1.5 system is standalone, one Solaris zone handling all searching and indexing. The 4.3.4 system consists of 2 pooled search heads and 6 indexers.

Does anyone have hints for finding and migrating saved searches? I want to get completely off the 4.1.5 system. I already have a migration plan for the indexes, so that's not an issue.

Tags (2)
0 Karma
1 Solution

DaveSavage
Builder

LGuinn posted an app or plug-in here called X-Ray Splunk just recently. You should find it's where used capabilities very handy for such a migration, especially as the saved searches are one consideration, and the safety of your tags also of importance.
Whether the app is backward compatible to 4.1 I don't know.
Link is http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects

View solution in original post

DaveSavage
Builder

LGuinn posted an app or plug-in here called X-Ray Splunk just recently. You should find it's where used capabilities very handy for such a migration, especially as the saved searches are one consideration, and the safety of your tags also of importance.
Whether the app is backward compatible to 4.1 I don't know.
Link is http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects

View solution in original post

DaveSavage
Builder

Jeff - gkanapathy had some good info on the reliability and durability of vsid. Does this work for you: http://splunk-base.splunk.com/answers/4367/after-updating-an-apps-saved-search-by-web-the-vsid-is-no...
I think this infers that the vsid can be transitory or forfeited. I would back the lot up first before trying the delete, but you know that.

I_am_Jeff
Communicator

I'll have to look at X-Ray. And check out the local.meta file. Thanks for those pointers.

Previously, I tried moving stanzas to the new box, but many of the stanzas in etc/users/username/search/local/savedsearch.conf contain lines like "vsid = gsjba82a". Those VSIDs reference other stanzas in etc/apps/search/local/viewstates.conf.

I tried copying both of those over, being careful of duplications, but it just didn't work out. 😞

0 Karma

Drainy
Champion

the savedsearch.conf in an app will have entries in the local.meta file in the metadata directory for that app, listing the user who owns the app.

0 Karma

DaveSavage
Builder

Jeff - I hesitated before posting this comment update as your posts show good familiarity with Splunk, but you do know that there is a savedsearch.conf file in the file hierarchies. Instances exist per plu-in usually and also (I would imagine) per user?
Good luck though.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!