Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to complete Splunk Migration from 3 different instances to a new instance?

Mansi24
Path Finder
‎10-16-2019 06:23 AM

Hi Splunkers,

We have to migrate our 3 Splunk instances to a whole different new instance. Since Splunk documentation says copy entire contents of $SPLUNK_HOME$ to the new instance but since we have to move 3 different instances to one we can't to do it for all.

Could you please guide me the ideal way for migration to take place. We need to have all apps and data from all the 3 instances to a newer one. Also how should the hardware requirements should be decided.

Please help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2019 06:49 AM

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2019 06:49 AM

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...