Splunk Enterprise Security

Migrate ES standalone to Cluster

Communicator

I have a couple of questions about migrating the ES standalone search head to a clustered search head.  I have tested two different methods and one works well and the Splunk method doesn’t work.  Here is my method.

 

My Method:

  1. Create tarball backups of /opt/splunk/etc/apps and /opt/splunk/etc/users from the standalone ES search head
  2. Create a kvstore backup from standalone ES backup
  3. Build deployer and search head cluster
    1. Setup ldap
    2. Setup licensing
  4. Extract users.tar in /opt/splunk/etc/shcluster on deployer
  5. Extract apps.tar in /opt/splunk/etc/shcluster on deployer
    1. Remove all apps that are default install apps
  6. Apply shcluster bundle
  7. Restore kvstore on captain
  8. Restore store kvstore on other two nodes in the cluster
  9. Restore entire sh cluster
  10. Done
    1. Team tested and everything looks like it is there and seems to be working

 

Splunk’s Method:

  1. Create tarball backups of /opt/splunk/etc/apps and /opt/splunk/etc/users from the standalone ES search head
  2. Create kvstore backup from standalone ES
  3. Build out deployer and search head cluster
    1. Setup ldap
    2. Setup licensing
  4. Install latest version ES on deployer
    1. Install all TA that will be used
  5. Deploy ES out to cluster
  6. Restore users.tar in /opt/splunk/etc/shcluster
  7. Restore other apps in /opt/splunk/etc/shcluster
    1. This process is more tedious as have to break out all items from ES app individually
  8. Deploy apps and users out to shcluster
  9. Restore kvstore on captain
  10. Restore kvstore on the other two nodes
  11. Restart sh cluster
  12. Done
    1. Team tested and it seems to be working but none of the datamodels are working and does not appear to recognize the kvstore restore.
Labels (1)
Tags (2)
0 Karma