If you are on windows to windows (32bit to 64 or 64bit to 64bit)
Here are the steps :
$SPLUNK_HOME\etc\auth(that also contains the secret key for password encryption) the user password :
$SPLUNK_HOME\etc\apps\the local configuration
$SPLUNK_HOME\etc\system\local( eventually modify the server.conf and inputs.conf from ...\etc\system\local that contain the hold hostname ) the users folders
If they are hard coded as
c:\program files\splunk\var\lib\splunk\... then change them to the new location
- double check the permissions on the files.
- restart the new indexer and verify that all is working, and searchable
The easiest way to do it would be as follows:
1) run ./$SPLUNKHOME/bin/splunk stop
2) Find your indexes.conf where you define where to save your indexes (could be in etc/apps, or etc/system/local). Zip all the db related files that you find in the directories defined in your indexes.conf.
3) Zip your $SPLUNKHOME directory.
4) Port over both zips to the new box, and unzip them.
5) Make sure you run a search for any metadata files containing the name / ip of the old server.
6) run ./$SPLUNK_HOME/bin/splunk start.
I used this method to upgrade a number of forwarders to include certain basic configurations, and to port over the databases from one location in a shared drive, to a different one.
Hope this helps.
Maybe I just misunderstood you. As long as you defined the paths in your configurations, and you include in your zip all of the contents inside your $SPLUNK_HOME, then all configuration files will move along with your splunk installation. Therefore pointing to the same places that your old server was pointing to, no matter what type of splunk you are porting.
I thought you were talking about an indexer (hence your database question). If you are talking about a forwarder then yes, you will have to update the monitoring path inside of the inputs.conf file, unless of course your new machine has the exact same directory structure.