Installation
Highlighted

Please advise on proposed process to upgrade Splunk 6.1 to a new Linux server.

Builder

I will be moving an existing Splunk installation (and all the data, inputs and customizations, etc.) over to a new server (Linux to Linux same platform and same architecture) and perform an upgrade to 6.1 and from what I gathered from all the documentation, the process would be this:

  • Stop Splunk Enterprise 5.0 on the server from which you want to migrate.
  • Copy the entire contents of the $SPLUNKHOME directory from the old server to the new server – All my indexes and data reside under $SPLUNKHOME
  • Create Splunk user and install Splunk 6.1 on target platform under same location and directory structure of the copied files - Extract 6.1 downloaded splunk-6.1.3-220630-Linux-x86_64.tgz directly over the copied files on the new system
  • Start Splunk Enterprise on the new instance - Splunk Enterprise detects whether you are migrating and prompts you on whether or not to upgrade at this time, answer by yes.
  • Start command should migrate the license to the new server: $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Are we missing something in the process.
Please advice

Labels (2)
Tags (3)
Highlighted

Re: Upgrade Splunk 6.1 to a new Linux server

Communicator

Most of it looks good. That said, here are a few things, off the top of my head:

  • Generally you would want to create backups, although you could use the old server as the "backup" for config files/data-wise.
  • Make sure to chown all the right directories/files, as needed.
  • Not sure how distributed the architecture is, or how everything would be configured. I generally advise to use a DNS alias for the Splunk server; that way, if you migrate (as you're doing now), nobody has to update their bookmarks. There may be communications to consider around this, depending on your user-base (and update internal docs, bookmarks, and wherever else you might've documented it).
  • If you're using SSL, but changing the URL of Splunk, might need to get a new cert generated/signed for it.
  • If you're using forwarders, you may need to update outputs.conf across forwarders to send to the new box. This may be alleviated through centralized management, such as the deployment server.
  • Not sure what your security landscape looks like, but make sure that firewalls (local or network), or any other security in place would take into account the new system.
  • If you're using a separate license server, make sure that the server's added to the license pool. Even if it's all running on the same box, I'd definitely mark it as a "validation" point.
  • Consider enabling boot-start, if you want Splunk to fire up on boot ($SPLUNK_HOME/bin/splunk enable boot-start).

View solution in original post

Highlighted

Re: Upgrade Splunk 6.1 to a new Linux server

Communicator

As it so happens, there's a stack of stuff on the Splunk wiki as well:
http://wiki.splunk.com/Deploy:Migrating_a_Splunk_Install

0 Karma
Highlighted

Re: Upgrade Splunk 6.1 to a new Linux server

Builder

I'm using SSL and change the URL of Splunk , do i need to get a new cert generated ???

0 Karma
Highlighted

Re: Upgrade Splunk 6.1 to a new Linux server

Communicator

I would assume so, but you'd have to check your cert. The certificate might be tied to the system's URL.

Lots of documentation on the wiki & official Splunk docs on certs, if needed:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Security/Howtogetthird-partycertificates

0 Karma