We've currently got a stand-alone 64-bit linux box handling inputs from a collection of Splunk forwarders, all on 4.2.5. $SPLUNK_HOME is still set to it's default and all of the data is flowing into the original, default index. We've got about 13 millions events, a lot of saved searches and dashboards.
We're now looking at how to migrate our system over to an existing 64-bit Linux Splunk setup that's running on 4.2.2. I've been reading the docs and Splunkbase about migration but am still not clear on how this would actually work. I can zip/tar the original data, but how will that work on the new server? I guess what I'm after is that we've got a home directory on the new server with all of our old data, field extractions, etc. that doesn't interfere with the rest of the server. Is that possible, given that the data is currently in the standard home default?
The server admin is happy to set up a specific index for us on the server farm, but I'm hoping to migrate our past events without export-to-CSV-and-reimport and to keep our existing searches, dashboards, etc.
Thanks for any guidance or links.
This will include your indexes (by default, your main Splunk index is located in
$SPLUNK_HOME$/var/lib/splunk/) and any configuration files you've changed in
Stop the Splunk services (splunkd and splunkweb) again.
Copy the following files and directories from the copy of
$SPLUNK_HOME$/etc/ that you set aside (indexes and configuration files) back into the same locations in the new installation.
$SPLUNK_HOME$/etc/deployment-apps (if the Splunk instance is a deployment server)
$SPLUNK_HOME$/etc/log-local.cfg (if a local version was manually created)
In your new installation of Splunk, rename the
$SPLUNK_HOME$/var/ directory to something else (like
$SPLUNK_HOME$/var.delete/) and then copy over the
$SPLUNK_HOME$/var/ directory you saved.
You can later delete the var.delete directory.
Restart Splunk, and check your configurations.
Remove your old installation
I would not migrate configs to a lower splunk version as there might be change which will not work...
Then first upgrade your second splunk instance to same version.
All configs are in
splunk/etc , all indexed data by default are in