Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Migration

splunkguy
Engager
‎09-29-2023 10:56 PM

How do I migrate Dashboards and alerts from older standalone search head to new standalone search 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2023 11:24 PM

Hi @splunkguy ,

follow these steps:

  • make a copy of the Apps to migrate from the old SH to the SHC,
  • install and configure the SH Cluster,
  • copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
  • Deploy them using the command
    • splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges 

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2023 01:55 PM

Well...the idea is relatively easy (you want to capture old SH state and set the new SH to the same state) but the details can be tricky.

Generally, you want to move the config files (both system-wide and users' ones) and kvstore state.

The problem is that if you're migrating, you might not need some stuff if you'll be deploying on a new instance (like certs might need to be generated for a new name) so you'll have to be selective about restoring the configs.

0 Karma
Reply
Solved! Jump to solution

splunkguy
Engager
‎09-30-2023 02:06 PM

Hi @PickleRick , 

Thanks for replying,  my issue is that Splunk SH is running on Linux 6 and I have to migrate it to Linux 8 because Splunk 9.1 is not supported on Legacy Linux.

So I have built a new instance and added to cluster, as a standalone SH it can search the data and I can make it primary, but not sure how to copy Dashboards/alerts built by users that are no longer active. So that's where I am looking for options to copy it from old instance to new before making it active. 

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2023 02:28 PM

Generally, system-wide stuff is in etc/system and etc/apps whereas users' content is in etc/users. You need to remember however that your stuff probably depends on add-ons which do the extractions. If you use datamodels, they should be properly defined and configured. And so on.

0 Karma
Reply
Solved! Jump to solution

splunkguy
Engager
‎09-30-2023 09:51 AM

Hi @gcusello , 

Thanks for replying. I am using a standalone search head. Would like to move to a standalone search head and not a search head cluster. Is that  the same process for migrating apps to standalone search head?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2024 12:51 AM

Hi @splunkguy ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-01-2023 01:16 AM

Hi @splunkguy ,

to move a standalone Search Head to another standalone SH, you have to make the same steps, obviously without the cluster:

  • make a copy of the Apps to migrate from the old SH to the new one,
  • copy the above Apps in the new SH in $SPLUNK_HOME/etc/apps.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2023 11:24 PM

Hi @splunkguy ,

follow these steps:

  • make a copy of the Apps to migrate from the old SH to the SHC,
  • install and configure the SH Cluster,
  • copy the above Apps in the SHC-Deployer, in $SPLUNK_HOME/etc/shcluster,
  • Deploy them using the command
    • splunk apply shcluster-bundle -target URI:management_port -auth username:password

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.1/DistSearch/PropagateSHCconfigurationchanges 

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...