Installation

Upgrading/Migrating Splunk from 6.0.1 to 7.2.3. Need Help

ramprakash
Explorer

Hello Splunkers,

I need to upgrade my current Splunk multi cluster environment from 6.0.1 to 7.2.3.

Present Infrastructure where Splunk 6.0.1 is present:-

  1. Two indexers
  2. Two search heads(SHP)
  3. One Cluster master

Futuristic Infrastructure where Splunk 7.2.3 will be deployed. I have ordered completely new devices. Once upgrade is done, we will decommission old infrastructure

  1. Two indexers
  2. Two search heads
  3. One Cluster master
  4. One Deployment server

My biggest challenge is I want to transfer all the data from old(6.0.1) system to new(7.2.3) system. How can this be achieved ?
What is the Step by Step process to follow ? Any help will be highly appreciated.

Labels (3)
0 Karma

codebuilder
Influencer

If you are standing up a new cluster on new hardware, and want to transfer your indexes over it is pretty straightforward, if you have an identical number of indexers. If not, it becomes a bit more complicated.

If you do though, here are the high level steps:

On new cluster:
Deploy your existing indexes.conf but set the index(es) to disabled = 1

On old cluster:
Roll all hot buckets to warm
Disable the index

From old cluster indexers to new cluster indexes:
rsysnc -az /path/to/your/data new_indexer_name:/path/to/your/data/

Repeat that for each path defined (hot,warm,cold,etc), for each index, and for each indexer (old_indexer02 to new_indexer02 e.g.).

On the new cluster:
Verify/update user:group ownerships on the new data paths (chown -RP splunk:splunk /path/to/your/data/ e.g.).
Enable the index

Splunk may do some housekeeping, so to speak, once you enable the index. But after that you should be good.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

woodcock
Esteemed Legend

I would make the old servers a multi-site cluster and put the new servers as a second site. Let the CM go crazy (it will crash many times), then decommission the old site.

ramprakash
Explorer

I need to move CM also to new system..is there any documentation for this

0 Karma

woodcock
Esteemed Legend

The CM is a "start from scratch" node and does not record any state anywhere. If you simply point the Indexers to a new CM and restart everything, it will get sorted out quickly without any admin steps.

0 Karma

skalliger
Motivator

I have written a whole essay before realising that we need more information first. Are you planning to add the new servers into the existing multi-site cluster? Because this will make it a lot easier.

Skalli

0 Karma

ramprakash
Explorer

Hi..I am installing completely new hardware first and then moving all the data to them..What is the best way to do this..are there any procedural steps

0 Karma

skalliger
Motivator

Well, the easiest way would be to include the new server insto the existing cluster and then decomission the old ones, like woodcock wrote. Everything else is kind of complicated and no step-by-step procedure available that I know of.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...