Solved: Search Head Migration

splunkguy · ‎09-29-2023

How do I migrate Dashboards and alerts from older standalone search head to new standalone search

gcusello · ‎09-29-2023

follow these steps:

make a copy of the Apps to migrate from the old SH to the SHC,
install and configure the SH Cluster,
copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
Deploy them using the command
- splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges

Ciao.

Giuseppe

View solution in original post

PickleRick · ‎09-30-2023

Well...the idea is relatively easy (you want to capture old SH state and set the new SH to the same state) but the details can be tricky.

Generally, you want to move the config files (both system-wide and users' ones) and kvstore state.

The problem is that if you're migrating, you might not need some stuff if you'll be deploying on a new instance (like certs might need to be generated for a new name) so you'll have to be selective about restoring the configs.

splunkguy · ‎09-30-2023

Hi @PickleRick ,

Thanks for replying, my issue is that Splunk SH is running on Linux 6 and I have to migrate it to Linux 8 because Splunk 9.1 is not supported on Legacy Linux.

So I have built a new instance and added to cluster, as a standalone SH it can search the data and I can make it primary, but not sure how to copy Dashboards/alerts built by users that are no longer active. So that's where I am looking for options to copy it from old instance to new before making it active.

PickleRick · ‎09-30-2023

Generally, system-wide stuff is in etc/system and etc/apps whereas users' content is in etc/users. You need to remember however that your stuff probably depends on add-ons which do the extractions. If you use datamodels, they should be properly defined and configured. And so on.

splunkguy · ‎09-30-2023

Hi @gcusello ,

Thanks for replying. I am using a standalone search head. Would like to move to a standalone search head and not a search head cluster. Is that the same process for migrating apps to standalone search head?

gcusello · ‎09-07-2024

Hi @splunkguy ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎10-01-2023

Hi @splunkguy ,

to move a standalone Search Head to another standalone SH, you have to make the same steps, obviously without the cluster:

make a copy of the Apps to migrate from the old SH to the new one,
copy the above Apps in the new SH in $SPLUNK_HOME/etc/apps.

Ciao.

Giuseppe

gcusello · ‎09-29-2023

Hi @splunkguy ,

follow these steps:

make a copy of the Apps to migrate from the old SH to the SHC,
install and configure the SH Cluster,
copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
Deploy them using the command
- splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges

Ciao.

Giuseppe

Search Head Migration

search head

upgrade

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)