Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Migrating a stand-alone linux server to a shared L...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Migrating a stand-alone linux server to a shared Linux server
We've currently got a stand-alone 64-bit linux box handling inputs from a collection of Splunk forwarders, all on 4.2.5. $SPLUNK_HOME is still set to it's default and all of the data is flowing into the original, default index. We've got about 13 millions events, a lot of saved searches and dashboards.
We're now looking at how to migrate our system over to an existing 64-bit Linux Splunk setup that's running on 4.2.2. I've been reading the docs and Splunkbase about migration but am still not clear on how this would actually work. I can zip/tar the original data, but how will that work on the new server? I guess what I'm after is that we've got a home directory on the new server with all of our old data, field extractions, etc. that doesn't interfere with the rest of the server. Is that possible, given that the data is currently in the standard home default?
The server admin is happy to set up a specific index for us on the server farm, but I'm hoping to migrate our past events without export-to-CSV-and-reimport and to keep our existing searches, dashboards, etc.
Thanks for any guidance or links.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Make a copy of the
$SPLUNK_HOME$/var/and$SPLUNK_HOME$/etc/directories.
This will include your indexes (by default, your main Splunk index is located in $SPLUNK_HOME$/var/lib/splunk/) and any configuration files you've changed in $SPLUNK_HOME$/etc/system/local, $SPLUNK_HOME$/etc/users and $SPLUNK_HOME$/etc/apps.
Stop the Splunk services (splunkd and splunkweb) again.
Copy the following files and directories from the copy of
$SPLUNK_HOME$/etc/that you set aside (indexes and configuration files) back into the same locations in the new installation.$SPLUNK_HOME$/etc/myinstall/splunkd.xml
$SPLUNK_HOME$/etc/system/local
$SPLUNK_HOME$/etc/system/lookups
$SPLUNK_HOME$/etc/apps
$SPLUNK_HOME$/etc/auth
$SPLUNK_HOME$/etc/deployment-apps (if the Splunk instance is a deployment server)
$SPLUNK_HOME$/etc/log-local.cfg (if a local version was manually created)
$SPLUNK_HOME$/etc/openldap
$SPLUNK_HOME$/etc/licenses/enterprise/splunk.license
$SPLUNK_HOME$/etc/splunk-launch.conf
$SPLUNK_HOME$/etc/passwd
$SPLUNK_HOME$/etc/users
In your new installation of Splunk, rename the
$SPLUNK_HOME$/var/directory to something else (like$SPLUNK_HOME$/var.delete/) and then copy over the$SPLUNK_HOME$/var/directory you saved.
You can later delete the var.delete directory.
Restart Splunk, and check your configurations.
Remove your old installation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would not migrate configs to a lower splunk version as there might be change which will not work...
Then first upgrade your second splunk instance to same version.
All configs are in splunk/etc , all indexed data by default are in splunk/var/lib/splunk
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
