Splunk IT Service Intelligence

Is it possible to clone Splunk config files / settings?

Builder

I would like to set up a 2 node Splunk implementation: 1 Indexer and 1 Search Head. The indexer will hold all roles accept for Search. Search head will do search + house ITSI.

Instead of having to manually set up the LDAP configs, user roles, is there a way to copy the configs (say from original server which will now just be the indexer) and then just copy a certain set of config files over to the Search head? That way I'm not duplicating efforts.

Same goes for Reports, Dashboards, Field extractions, tags, look up fields etc.. Right now I've been using 1 box (stand alone) however I don't want to have to recreate everything on the new search head in order to be functional. I also have ITSI installed on this one stand alone box.. It would be hell on earth if I had to manually set all that up again on the New Search head

What's the proper way to copy settings/ configurations needed to easily expand out without making manual edits.

Thank you

0 Karma
1 Solution

Builder

I don't know for sure, but I would think that installing the same version of Splunk on the new host and then copying the /etc folder would accomplish this. You would need to go into the .conf files and search for the old hostname.

View solution in original post

Communicator

For the LDAP Config you have to copy $SPLUNKHOME/etc/system/local/authentication.conf and change the copied bindDNpassword = to a plain text version, because splunk> cant read encrypted passwords from other splunk> instances and will encrypt the plain text one with the own key after the next splunk restart.
The same for other configs with encrypted Passwords/Keys inside like the server.conf.
Also apps can hold encrypted parts... like the Splunk_TA_aws where the credentials hold in $SPLUNKHOME/etc/apps/Splunk_TA_aws/local/passwords.conf. But not encrypted by the server (with a restart)
Apps and configs without passwords has typically no problems to copy between instances. At some places it can generate confusions when Systems has the same names (stored in inputs.conf,deploymentclient.conf and server.conf)

Builder

I don't know for sure, but I would think that installing the same version of Splunk on the new host and then copying the /etc folder would accomplish this. You would need to go into the .conf files and search for the old hostname.

View solution in original post

Communicator

I downvoted this post because this answer may correct for clone a machine to another env... not for a copy of a splunk instance.

0 Karma

Explorer

You would get into sketchy waters if you have 'secrets' that you have to distribute between splunk infrastructure devices e.g. indexers(clusters), search heads, etc.

Honestly, using a tool like puppet, chef, or ansible would best fit your use case. Get the configs in, get them out to the rest of your infrastructure with nominal effort. It's a beautiful life for IT professionals. All of these tools are very well documented and widely used. If you run into trouble with setting them up, help is literally a fingertip away. Hope this helps. Happy Splunking!

  • Marc
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!