We have installed splunk on one box (Linux) but because of disk space issues we want to move the Splunk another Box.This is splunk indexer and we don't want to loose the history.
So ideally we want to move splunk indexer from host "A" to Host "B".
If we use tarball of the existing splunk directory in other host , whether it will work?
Thanks in advance...
Yes, this will work as long as you move only the datastore to the same location on the new server. The default location is $SPLUNK_HOME/var/lib/splunk for the entire datastore including event data and Splunk internal data, and $SPLUNK_HOME/var/lib/splunk/defaultdb for just the event data. Make sure you stop Splunk before moving the datastore. For the rest of Splunk, just install a new Splunk instance on the new box.
Take a look at this Splunk Wiki topic for more details:
you can almost move the whole tarball, but it's not much harder and much much safer to just move (a) a tar of the indexed data, plus (b) a tar of the custom config which can be generated with, e.g.,
cd $SPLUNK_HOME/etc && find . -type d -name local | xargs tar -cf custcfg.tar and untaring that back over a new install.
You cannot move all of the Splunk directory within a tar ball to another host. This is not supported.
As an alternative, you can create a tar ball of all your indexed information ($SPLUNK_HOME/var/lib/splunk) and move that to the index location of your new installation of Splunk. When doing this, you must first move and unpack your tar ball into the new location prior to the very first startup of the new installation of Splunk. Alternatively, you can have the tar ball overwrite the directory location if you happen to have started it up by accident.