Splunk Enterprise

Splunk Windows Migration Universal Forwarders

Hashtables
New Member

Hello,

Bit of a novice here.

I am in the process of planning to migrate a Splunk universal forwarder from one windows server to another.

 

To my understanding, this is the following process I have come up with:

1. Copy the Splunk home folder from the original  forwarder to the newly commissioned server.

2. Download the same version of Splunk.

3. Run the MSI executable, agree to the terms and conditions and open customise settings and select the install location as the same location as the pre-existing configuration.

 

Will the installer then prompt me for any other information, as it already has the configuration? For example will it ask me the deployment server address or the indexor address, or what system account is being used, or to create a splunk local administration account.

 

Will I need to change the host name in any configuration files? If it is not the same as the original server.

 

Labels (2)
0 Karma

PaulPanther
Motivator

What is the reason for the planned the migration? For me it sounds like more that you just wanna install a new Universal forwarder on a different server to collect the logs.

Usually you have all specific configuration like inputs.conf and outputs.conf on your deployment server and in case of setting up a new UF you only add it to a existing or new serverclass to rollout the configuration files.

I would do a fresh installation on the new server, configure the local configurations (e.g. deploymentclient.conf) and then distribute all other configurations via the Deployment Server.

Regarding the installation routine I recommend to take a look into the documentation Install a Windows universal forwarder - Splunk Documentation There is also a silent installation on command line described.

Hashtables
New Member

Don’t have a deployment server hence copying the home folder across.

0 Karma

PaulPanther
Motivator

Ah okay, then I would execute it in following order:

1. Do the fresh installation

2. copy all custom apps and their configuration files to %SplunkHome/etc/apps/ from your source

3. start splunk

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...