Splunk Enterprise

Splunk Windows Migration Universal Forwarders

Hashtables
New Member

Hello,

Bit of a novice here.

I am in the process of planning to migrate a Splunk universal forwarder from one windows server to another.

 

To my understanding, this is the following process I have come up with:

1. Copy the Splunk home folder from the original  forwarder to the newly commissioned server.

2. Download the same version of Splunk.

3. Run the MSI executable, agree to the terms and conditions and open customise settings and select the install location as the same location as the pre-existing configuration.

 

Will the installer then prompt me for any other information, as it already has the configuration? For example will it ask me the deployment server address or the indexor address, or what system account is being used, or to create a splunk local administration account.

 

Will I need to change the host name in any configuration files? If it is not the same as the original server.

 

Labels (2)
0 Karma

PaulPanther
Motivator

What is the reason for the planned the migration? For me it sounds like more that you just wanna install a new Universal forwarder on a different server to collect the logs.

Usually you have all specific configuration like inputs.conf and outputs.conf on your deployment server and in case of setting up a new UF you only add it to a existing or new serverclass to rollout the configuration files.

I would do a fresh installation on the new server, configure the local configurations (e.g. deploymentclient.conf) and then distribute all other configurations via the Deployment Server.

Regarding the installation routine I recommend to take a look into the documentation Install a Windows universal forwarder - Splunk Documentation There is also a silent installation on command line described.

Hashtables
New Member

Don’t have a deployment server hence copying the home folder across.

0 Karma

PaulPanther
Motivator

Ah okay, then I would execute it in following order:

1. Do the fresh installation

2. copy all custom apps and their configuration files to %SplunkHome/etc/apps/ from your source

3. start splunk

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...