Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rebuild and Migrate Splunk Enterprise to another different site

ws
Path Finder
‎07-18-2025 12:33 AM

Hi, 

I have saw there are many recommendations to rebuild and migrate with its existing data and configuration.

It abit confusing for me as a new Splunk user, would appreciate if there some guidance for it.

The following are the instances.

1x Search Head
3x Indexer
3x Heavy Forwarder
1x License server
1x deployment server
Current version: 9.3.2

Assuming the hostname/IP could be the same or different for the rebuild.

What is the best way to perform the rebuild and migration with it existing data and configuration?

Same hostname/IP:
- Copy the entire contents of the $SPLUNK_HOME directory from the old server to the new server
- Install all instance for the new Splunk component into new server

Different hostname/IP:
- Copy the entire contents of the $SPLUNK_HOME directory from the old server to the new server
- Install all instance for the new Splunk component into new server
- Update individual .conf of instances if using new hostname
- Update individual instances to point to their respecitive instances roles

And could i install a newer version of Splunk without going to 9.3.2 when rebuilding and migrating?

For testing purpose, I'll be trying it at one AIO instances for the rebuilding/migration due to space limitation.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-18-2025 01:24 AM

Hi

as you have an individual servers, you could use this method https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/5280...

When you have several indexers you should consider to migrate into clustered environment. You should read this https://docs.splunk.com/Documentation/SVA/current/Architectures/TopologyGuidance

r. Ismo

0 Karma
Reply

ws
Path Finder
‎07-21-2025 11:18 PM

Hi @isoutamo

Thanks for providing some of the article.

For All-in-One, tested with using the rsync. Everything went quite smooth. 

But in a situation whereby there's a cluster involved for the indexer/search head and it is in a separate network/location. Will the same method work?? or there's another method to follow?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2025 04:14 PM

When you have cluster, then correct method is add nodes to it and after data has spread into those new nodes, then remove old nodes. Here is details how to do it https://community.splunk.com/t5/Splunk-Enterprise/Migration-of-Splunk-to-different-server-same-platf...

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-18-2025 12:42 AM

Hi @ws 

For rebuilding and migrating your Splunk Enterprise setup to a new site while preserving existing data and configurations either of your mentioned paths would work. This assumes compatible OS/architecture between old and new servers. Personally I'd probably use the same version as your existing deployment for the new site and upgrade once complete, that way you're doing a migration rather than a transformation - which is less risky. It also means that there wont be any unknown config changes when copying the contents of $SPLUNK_HOME.

You may want to look at using something like rsync for copying the $SPLUNK_DB paths over from the old servers to the new ones, which might take some time depending on your data retention size/configurations. You could move the bulk of this first and then copy the config. 

If you're able to keep the same hostnames etc and switch the DNS over, or retain the same IPs then this will obviously reduce a lot of additional work, otherwise you will need to go through various servers to update things like deploymentclient.conf for clients connecting to the DS etc.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ws
Path Finder
‎07-21-2025 11:19 PM

Hi @livehybrid,

Thanks for providing the information.

With using rsync, tested with All-in-One and it is working.

But in a situation whereby there's a cluster involved for the indexer/search head and it is in a separate network/location. Will the same method work?? or there's another method to follow?

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...