Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Migrate old Search head cluster to new Search head cluster

vtalanki
Path Finder
‎08-07-2020 01:13 PM

Hi,

I have gone thru multiple answers and also splunk documentation about migrating from standalone search head to SHC but my usecase is bit different.

Usecase:

We want to deploy splunk enterprise service in AWS and as part of it, we create a SHC with say 5 search heads. Upon requirement of OS upgrade or splunk vesion upgrade, we want to spawn 5 totally new EC2 instances to form new SHC with new AMI that has the upgrades. 

How do we copy old SHC data/settings(search artifacts - dashboards, saved searches etc) to the new one? What is the best way to achieve this? 

Labels (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2020 02:51 PM

Hi

if you are doing Splunk update at same time only to the new environment then you should do this like docs said for SH to SHC migration. But if you are doing first the migration and then update then another option is first migrate deployer and then stretch the current shc with the new nodes and then remove old ones. Of course this needs ip connection between onsite and Aws. 
r. Ismo

0 Karma
Reply

vtalanki
Path Finder
‎08-07-2020 03:01 PM

Both our environments are in AWS. 

For new deployment, we will have new AMI baked with OS/Splunk Upgrade and create EC2 instances with this AMI. We will have a new deployer and new SHC in this case. But how can we copy the settings/data from old SHC to new SHC?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2020 11:47 PM

Hi

when you have put shc up from scratch you must follow the next instructions https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Migratefromstandalonesearchheads

Basically export all wanted apps (e.g. Splunk package app <app name> for all apps one by one) then copy those to the new deployer. If there are something in kvstore that may be copied separate? Then stop old one, copy user settings/data to the new deployer and deploy all to the new. Then it should work and contain all data from old shc. 
r. Ismo

0 Karma
Reply

vtalanki
Path Finder
‎08-12-2020 04:28 PM

Thanks @isoutamo . Will try this and update

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...