Splunk Enterprise

Migrate old Search head cluster to new Search head cluster

vtalanki
Path Finder

Hi,

I have gone thru multiple answers and also splunk documentation about migrating from standalone search head to SHC but my usecase is bit different.

Usecase:

We want to deploy splunk enterprise service in AWS and as part of it, we create a SHC with say 5 search heads. Upon requirement of OS upgrade or splunk vesion upgrade, we want to spawn 5 totally new EC2 instances to form new SHC with new AMI that has the upgrades. 

How do we copy old SHC data/settings(search artifacts - dashboards, saved searches etc) to the new one? What is the best way to achieve this? 

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if you are doing Splunk update at same time only to the new environment then you should do this like docs said for SH to SHC migration. But if you are doing first the migration and then update then another option is first migrate deployer and then stretch the current shc with the new nodes and then remove old ones. Of course this needs ip connection between onsite and Aws. 
r. Ismo

0 Karma

vtalanki
Path Finder

Both our environments are in AWS. 

For new deployment, we will have new AMI baked with OS/Splunk Upgrade and create EC2 instances with this AMI. We will have a new deployer and new SHC in this case. But how can we copy the settings/data from old SHC to new SHC?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

when you have put shc up from scratch you must follow the next instructions https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Migratefromstandalonesearchheads

Basically export all wanted apps (e.g. Splunk package app <app name> for all apps one by one) then copy those to the new deployer. If there are something in kvstore that may be copied separate? Then stop old one, copy user settings/data to the new deployer and deploy all to the new. Then it should work and contain all data from old shc. 
r. Ismo

0 Karma

vtalanki
Path Finder

Thanks @isoutamo . Will try this and update

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...