Installation

Migration

SN1
Path Finder

OK so we have 2 search heads and we want to migrate enterprise security app from 1 search head to another . How should we do that step by step so that we don't face any issues.

0 Karma

kiran_panchavat
Champion

@SN1 

If you're migrating for the first time, I recommend testing the process in a test environment before applying it in production.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

kiran_panchavat
Champion

@SN1 

To move the apps from one server to another, I recommend using WinSCP or SCP and following the steps I mentioned above.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

kiran_panchavat
Champion

@SN1 

The procedure was:
- deploy the splunk enterprise to the new server, use the same version you have on the existing server
- tar the entire $SPLUNK_HOME/etc folder from the existing splunk Enterprise security server, but I recommend to stop the splunk service first, just to avoid any change from customers
- Stop the splunk service at new server
- copy the tar file to the new server at $SPLUNK_HOME/etc folder
- Stop Splunk service on the current Splunk Enterprise server
- Copy the bundle file from $SPLUNK_HOME/var/run from the existing server to the new one on the same path. Bundle file should be something like this servername-1570745614.bundle
- Start splunk service on the new server
- Monitor for any error message of lack of configuration issues

Before you run this procedure, stop the existing Splunk server, run a full backup of etc, just to make sure if you the last updated configuration/apps in case you have any issues, you can recover from the point where everything is working properly on the current splunk environment.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

kiran_panchavat
Champion

@SN1 

It is pretty easy. if you're speaking of a not clustered SH, you have only to copy the Enterprise Security apps from the old SH to new one.

The easiest way it to install the same Splunk and ES on the new SH and copy the entire Splunk etc folder from the old SH to the new one and the end you can upgrade Splunk.

Copy the entire `$SPLUNK_HOME/etc/*` and `$SPLUNK_HOME/var/run` directory space.
Restart Splunk.

This all presumes that you setup Splunk and ES correctly the first time (i.e. all index and summaries are on your indexers).

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

SN1
Path Finder

so I just have to paste enterprise security app folder ($SPLUNK_HOME/etc/apps)  from old to new sh?

 

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @SN1 
Check out https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-move-Enterprise-Security-to-new-se... (which I believe @kiran_panchavat has posted some snippets from below) as this has more info.

To be clear though - it is not as simple as just moving the "SplunkEnterpriseSecuritySuite" app - depending on your setup there will be multiple apps (such as SA-* and TA-* apps) which support the ES app. 

Aside from the apps, there are also KV Stores which you will need to backup and restore / migrate to the new SH. 

Question - Is the new SH going to replace the old SH? Are there any users/configuration on the new SH already? If the new SH is a blank replacement then you might be okay to copy all the $SPLUNK_HOME/etc/apps content over, along with a KVStore backup and restore from the Old to the New SH.

As mentioned previously, it would be worth testing this in a development environment - if you have one! I know that not everyone has the luxury!

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...