Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Windows Migration Universal Forwarders

Hashtables
New Member
‎12-13-2024 01:44 AM

Hello,

Bit of a novice here.

I am in the process of planning to migrate a Splunk universal forwarder from one windows server to another.

 

To my understanding, this is the following process I have come up with:

1. Copy the Splunk home folder from the original  forwarder to the newly commissioned server.

2. Download the same version of Splunk.

3. Run the MSI executable, agree to the terms and conditions and open customise settings and select the install location as the same location as the pre-existing configuration.

 

Will the installer then prompt me for any other information, as it already has the configuration? For example will it ask me the deployment server address or the indexor address, or what system account is being used, or to create a splunk local administration account.

 

Will I need to change the host name in any configuration files? If it is not the same as the original server.

 

Labels (2)
Labels
0 Karma
Reply

PaulPanther
Motivator
‎12-13-2024 02:23 AM

What is the reason for the planned the migration? For me it sounds like more that you just wanna install a new Universal forwarder on a different server to collect the logs.

Usually you have all specific configuration like inputs.conf and outputs.conf on your deployment server and in case of setting up a new UF you only add it to a existing or new serverclass to rollout the configuration files.

I would do a fresh installation on the new server, configure the local configurations (e.g. deploymentclient.conf) and then distribute all other configurations via the Deployment Server.

Regarding the installation routine I recommend to take a look into the documentation Install a Windows universal forwarder - Splunk Documentation There is also a silent installation on command line described.

Reply

Hashtables
New Member
‎12-13-2024 03:33 AM

Don’t have a deployment server hence copying the home folder across.

0 Karma
Reply

PaulPanther
Motivator
‎12-13-2024 03:58 AM

Ah okay, then I would execute it in following order:

1. Do the fresh installation

2. copy all custom apps and their configuration files to %SplunkHome/etc/apps/ from your source

3. start splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...