Knowledge Management

How to complete Splunk Migration from 3 different instances to a new instance?

Mansi24
Path Finder

Hi Splunkers,

We have to migrate our 3 Splunk instances to a whole different new instance. Since Splunk documentation says copy entire contents of $SPLUNK_HOME$ to the new instance but since we have to move 3 different instances to one we can't to do it for all.

Could you please guide me the ideal way for migration to take place. We need to have all apps and data from all the 3 instances to a newer one. Also how should the hardware requirements should be decided.

Please help!

0 Karma
1 Solution

gcusello
Legend

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

View solution in original post

gcusello
Legend

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...