Splunk Enterprise Security

How to move Enterprise Security to new search head

jonathanpeckham
Explorer

I'm planning on moving the Enterprise Security app from one search head to another; search heads are not clustered.
Has anyone done this that can give me the process that worked for you?

0 Karma

woodcock
Esteemed Legend

It is pretty easy.

Copy the entire `$SPLUNK_HOME/etc/*` and `$SPLUNK_HOME/var/run` directory space.
Restart Splunk.
Install `TA-synckvstore` and sync every kvstore from the old to the new search head.

This all presumes that you setup Splunk and ES correctly the first time (i.e. all index and summaries are on your indexers).

0 Karma

MayurMangoli
Loves-to-Learn Everything

Hello @woodcock,

i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/SplunkEnterpriseSecuritySuite directory into new SH, will this work with.??

 

0 Karma

jonathanpeckham
Explorer

Thanks for the reply. Would backing up/restoring the kvstore work the same as the TA-synckvstore app? Looks like that app hasn't been updated in a while.

0 Karma

woodcock
Esteemed Legend

Yes, but the Splunk backup does EVERYTHING; the TA allows you to be selective.

0 Karma

jonathanpeckham
Explorer

Ah, gotchya. Thanks!

I'll work this in my change and come back to rate the answers after I've completed the move.

0 Karma

ivanreis
Builder

I ran a move procedure on Splunk Enterprise and ITSI, but I did not play around Enterprise Security, but I expect this procedure also work for your purpose

The procedure was:
- deploy the splunk enterprise to the new server, use the same version you have on the existing server
- tar the entire $SPLUNK_HOME/etc folder from the existing splunk Enterprise security server, but I recommend to stop the splunk service first, just to avoid any change from customers
- Stop the splunk service at new server
- copy the tar file to the new server at $SPLUNK_HOME/etc folder
- Stop Splunk service on the current Splunk Enterprise server
- Copy the bundle file from $SPLUNK_HOME/var/run from the existing server to the new one on the same path. Bundle file should be something like this servername-1570745614.bundle
- Start splunk service on the new server
- Monitor for any error message of lack of configuration issues

Before you run this procedure, stop the existing Splunk server, run a full backup of etc, just to make sure if you the last updated configuration/apps in case you have any issues, you can recover from the point where everything is working properly on the current splunk environment.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...