I'm planning on moving the Enterprise Security app from one search head to another; search heads are not clustered.
Has anyone done this that can give me the process that worked for you?
It is pretty easy.
Copy the entire `$SPLUNK_HOME/etc/*` and `$SPLUNK_HOME/var/run` directory space.
Restart Splunk.
Install `TA-synckvstore` and sync every kvstore from the old to the new search head.
This all presumes that you setup Splunk and ES correctly the first time (i.e. all index and summaries are on your indexers).
Hello @woodcock,
i'm have a bit similar scenario, but my old SH having installed ES version 6.0 and the new SH which is in migration stage ES is version is 7.2, can i copy the $SPLUNK_HOME/etc/SplunkEnterpriseSecuritySuite directory into new SH, will this work with.??
Thanks for the reply. Would backing up/restoring the kvstore work the same as the TA-synckvstore app? Looks like that app hasn't been updated in a while.
Yes, but the Splunk backup does EVERYTHING; the TA allows you to be selective.
Ah, gotchya. Thanks!
I'll work this in my change and come back to rate the answers after I've completed the move.
I ran a move procedure on Splunk Enterprise and ITSI, but I did not play around Enterprise Security, but I expect this procedure also work for your purpose
The procedure was:
- deploy the splunk enterprise to the new server, use the same version you have on the existing server
- tar the entire $SPLUNK_HOME/etc folder from the existing splunk Enterprise security server, but I recommend to stop the splunk service first, just to avoid any change from customers
- Stop the splunk service at new server
- copy the tar file to the new server at $SPLUNK_HOME/etc folder
- Stop Splunk service on the current Splunk Enterprise server
- Copy the bundle file from $SPLUNK_HOME/var/run from the existing server to the new one on the same path. Bundle file should be something like this servername-1570745614.bundle
- Start splunk service on the new server
- Monitor for any error message of lack of configuration issues
Before you run this procedure, stop the existing Splunk server, run a full backup of etc, just to make sure if you the last updated configuration/apps in case you have any issues, you can recover from the point where everything is working properly on the current splunk environment.