Installation

Search Head Migration

splunkguy
Engager

How do I migrate Dashboards and alerts from older standalone search head to new standalone search 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @splunkguy ,

follow these steps:

  • make a copy of the Apps to migrate from the old SH to the SHC,
  • install and configure the SH Cluster,
  • copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
  • Deploy them using the command
    • splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges 

Ciao.

Giuseppe

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well...the idea is relatively easy (you want to capture old SH state and set the new SH to the same state) but the details can be tricky.

Generally, you want to move the config files (both system-wide and users' ones) and kvstore state.

The problem is that if you're migrating, you might not need some stuff if you'll be deploying on a new instance (like certs might need to be generated for a new name) so you'll have to be selective about restoring the configs.

0 Karma

splunkguy
Engager

Hi @PickleRick , 

Thanks for replying,  my issue is that Splunk SH is running on Linux 6 and I have to migrate it to Linux 8 because Splunk 9.1 is not supported on Legacy Linux.

So I have built a new instance and added to cluster, as a standalone SH it can search the data and I can make it primary, but not sure how to copy Dashboards/alerts built by users that are no longer active. So that's where I am looking for options to copy it from old instance to new before making it active. 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Generally, system-wide stuff is in etc/system and etc/apps whereas users' content is in etc/users. You need to remember however that your stuff probably depends on add-ons which do the extractions. If you use datamodels, they should be properly defined and configured. And so on.

0 Karma

splunkguy
Engager

Hi @gcusello , 

Thanks for replying. I am using a standalone search head. Would like to move to a standalone search head and not a search head cluster. Is that  the same process for migrating apps to standalone search head?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkguy ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkguy ,

to move a standalone Search Head to another standalone SH, you have to make the same steps, obviously without the cluster:

  • make a copy of the Apps to migrate from the old SH to the new one,
  • copy the above Apps in the new SH in $SPLUNK_HOME/etc/apps.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkguy ,

follow these steps:

  • make a copy of the Apps to migrate from the old SH to the SHC,
  • install and configure the SH Cluster,
  • copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
  • Deploy them using the command
    • splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...