Installation

Migrate an Existing Splunk Instance to Another Existing Splunk Instance.

Communicator

I want to migrate away from an existing Splunk (version 4.1.5) instance to an existing Splunk (v4.3.4) instance. I've looked at http://wiki.splunk.com/Deploy:Migrating_a_Splunk_Install, but it is discusses migrating to a new Splunk instance.

My concern is finding and moving my users' saved searches to the 4.3.4 instance. The primary objective is they should be owned by the same user, with the same permissions. Naturally some users won't exist, but the saved searches are still of value. The 4.1.5 system is standalone, one Solaris zone handling all searching and indexing. The 4.3.4 system consists of 2 pooled search heads and 6 indexers.

Does anyone have hints for finding and migrating saved searches? I want to get completely off the 4.1.5 system. I already have a migration plan for the indexes, so that's not an issue.

Tags (2)
0 Karma
1 Solution

Builder

LGuinn posted an app or plug-in here called X-Ray Splunk just recently. You should find it's where used capabilities very handy for such a migration, especially as the saved searches are one consideration, and the safety of your tags also of importance.
Whether the app is backward compatible to 4.1 I don't know.
Link is http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects

View solution in original post

Builder

LGuinn posted an app or plug-in here called X-Ray Splunk just recently. You should find it's where used capabilities very handy for such a migration, especially as the saved searches are one consideration, and the safety of your tags also of importance.
Whether the app is backward compatible to 4.1 I don't know.
Link is http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects

View solution in original post

Builder

Jeff - gkanapathy had some good info on the reliability and durability of vsid. Does this work for you: http://splunk-base.splunk.com/answers/4367/after-updating-an-apps-saved-search-by-web-the-vsid-is-no...
I think this infers that the vsid can be transitory or forfeited. I would back the lot up first before trying the delete, but you know that.

Communicator

I'll have to look at X-Ray. And check out the local.meta file. Thanks for those pointers.

Previously, I tried moving stanzas to the new box, but many of the stanzas in etc/users/username/search/local/savedsearch.conf contain lines like "vsid = gsjba82a". Those VSIDs reference other stanzas in etc/apps/search/local/viewstates.conf.

I tried copying both of those over, being careful of duplications, but it just didn't work out. 😞

0 Karma

Champion

the savedsearch.conf in an app will have entries in the local.meta file in the metadata directory for that app, listing the user who owns the app.

0 Karma

Builder

Jeff - I hesitated before posting this comment update as your posts show good familiarity with Splunk, but you do know that there is a savedsearch.conf file in the file hierarchies. Instances exist per plu-in usually and also (I would imagine) per user?
Good luck though.

0 Karma