Installation

Splunk Migration to another server

terryjohn
Path Finder

We're running Splunk V4.3 on a Centos 5 server and we want move to Splunk 6 running on a different server running Centos 6.

We're moving to Splunk V6.04 to start with as it seems you can't upgrade to V6.1 from V4.3 in one go.

It's important we maintain our historical data so we need to export the data from the old Splunk version to the new version. I've seen lots of information on how to upgrade Splunk and exporting data but nothing that matches our needs to export, import and upgrade.
Our significant apps are *Nix, OSSEC, Snort and Eqalis. I know Snort is only certified for V5 but have been assured it will run on 6.

I just need to know what steps I need to take for this upgrade and whether the exported data from the apps will be of the right format to bring into the New Splunk version

Tags (3)
0 Karma
1 Solution

rtadams89
Contributor

Probably the easiest thing to do while minimizing downtime is to:

1) Perform incremental rsync jobs to copy the entire Splunk install directory to the new server.
2) Once mostly synced up, stop Splunk on the old server and do one last rsync to make sure the servers are 100% in sync.
3) Edit the server.conf and inputs.conf in the etc/system/local directory of the new server to reflect the new server name and any other parameters you may want to change.
4) Start up Splunk on the new server and make sure it is functioning as expected (receivign data, allowing searches, etc)
5) Update the new server's Splunk install via the upgrade documentation.
6) Once everything is confirmed working, decom the old server.

View solution in original post

0 Karma

rtadams89
Contributor

Probably the easiest thing to do while minimizing downtime is to:

1) Perform incremental rsync jobs to copy the entire Splunk install directory to the new server.
2) Once mostly synced up, stop Splunk on the old server and do one last rsync to make sure the servers are 100% in sync.
3) Edit the server.conf and inputs.conf in the etc/system/local directory of the new server to reflect the new server name and any other parameters you may want to change.
4) Start up Splunk on the new server and make sure it is functioning as expected (receivign data, allowing searches, etc)
5) Update the new server's Splunk install via the upgrade documentation.
6) Once everything is confirmed working, decom the old server.

0 Karma

rtadams89
Contributor

You can do that too. Just install Splunk from scratch on the new server, then merge the indexes. See http://wiki.splunk.com/Community:MoveIndexes and http://answers.splunk.com/answers/32176/is-it-possible-to-migrate-indexed-buckets-to-a-different-ind...

This is much more work, and possibly messier.

0 Karma

terryjohn
Path Finder

I was hoping to avoid that route, complete with old apps that would have to be updated individually on a new version of Splunk. I'd hoped that I could get a new Splunk instance with all the latest versions of apps running then import the old data

0 Karma

somesoni2
SplunkTrust
SplunkTrust

One additional configuration change required will at the forwarders to point to new server, unless a DNS alias is used.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...