Splunk Enterprise Security

Remove Search Head roles from an Indexer

andresito123
Communicator

Hello to the community!

I was wondering if there is any best practices regarding the removal of Search Head role from an indexer and moving it to a new server. I have started as a "demo" installation with a machine with indexer and SH role, so I need to remove all activities of the SH and move them to the new machine. Is there any documentation on performing such task? The SH also contains Enterprise Security App.

Thanks,
Andreas

0 Karma
1 Solution

renjith_nair
Legend

Hi Andreas,

If you would like to have dedicated search heard, following steps might help you

Once you have the "new" search head installed, copy the searches and apps to the new search head

  • Do not copy the whole search "app" since it might create unexpected issues later. Instead of that copy the 'local' folder from your search app which should have your searches/macros/dashboards etc.
  • Check if you have something in your user's local directory if there are some objects which are not shared in the app. https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Apparchitectureandobjectownership should give you an overview about the object permissions.
  • You shall copy other 'apps' from the etc/apps folder directly to the new search head to the same location which includes your "Enterprise Security App"
  • And as mentioned in Forward search head data, forward the data from SH to the "old" indexer.
  • Disable scheduled searches on indexer once you have enabled them in the "new" search head. Make sure you are doing disable/enable on both search head simultaneously/without much time gap to avoid duplicate alerts. This includes searches from "app" as well.
  • Regarding enterprise security, you should keep other configuration files on indexer for e.g. indexes,props,transforms as mentioned in http://docs.splunk.com/Documentation/ES/5.1.0/Install/Indexes
  • Disable the search head on indexer to prevent users from using it (best practice) Setting » Server settings » General settings and select "No" for 'Run Splunk Web' [ or from cmd line ./splunk disable webserver]

Lets know in case you have further questions.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

Hi Andreas,

If you would like to have dedicated search heard, following steps might help you

Once you have the "new" search head installed, copy the searches and apps to the new search head

  • Do not copy the whole search "app" since it might create unexpected issues later. Instead of that copy the 'local' folder from your search app which should have your searches/macros/dashboards etc.
  • Check if you have something in your user's local directory if there are some objects which are not shared in the app. https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Apparchitectureandobjectownership should give you an overview about the object permissions.
  • You shall copy other 'apps' from the etc/apps folder directly to the new search head to the same location which includes your "Enterprise Security App"
  • And as mentioned in Forward search head data, forward the data from SH to the "old" indexer.
  • Disable scheduled searches on indexer once you have enabled them in the "new" search head. Make sure you are doing disable/enable on both search head simultaneously/without much time gap to avoid duplicate alerts. This includes searches from "app" as well.
  • Regarding enterprise security, you should keep other configuration files on indexer for e.g. indexes,props,transforms as mentioned in http://docs.splunk.com/Documentation/ES/5.1.0/Install/Indexes
  • Disable the search head on indexer to prevent users from using it (best practice) Setting » Server settings » General settings and select "No" for 'Run Splunk Web' [ or from cmd line ./splunk disable webserver]

Lets know in case you have further questions.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

andresito123
Communicator

Thank you very much for your answer!

One more question: how I can offload the indexer from the SH tasks? Delete enterprise security?

0 Karma

renjith_nair
Legend

Added the steps. In short, once you move the scheduled searches to the new search most of the load should be offloaded.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...