Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge two search heads to contain the same apps, alert, reports, dashboards, etc... ?

Log_wrangler
Builder
‎06-01-2018 07:37 AM

I have two sh(s) both contain different apps, alerts, reports, dashboards, etc.

I am going to upgrade SH-A(with 6.3.1 version) to be the same 6.6.4 version as the other SH-B.

After the upgrade, I am moving everything from SH-B to SH-A.

Is there an easy way to cp /opt/splunk from SH-B and merge it with /opt/splunk in SH-A?

Thank you

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-01-2018 11:12 AM

If you're sure that both SH do not have any common knowledge objects/KO (with common name, KO includes apps, saved searches, dashboards, lookups, macros, fields extractions etc), then
1) Things that you can just copy over -
a) Dashboards (xml files within app_name/(local/default)/data/ui/views
b) Navigation menus(xml files within app_name/(local/default)/data/ui/nav
c) Lookups (app_name/lookups)
d) Scripts (app_name/bin)
c) static contents (app_name/appserver ot app_name/static)
2) THings that you need to merge (if content of both SH are different, you can just append content of one SH to other SH
a) All .conf files (may be except app.conf, in location app_name/(local/default))
b) All .meta files (app_name/metadata)
Apart from etc/apps, you'd need to copy etc/users and etc/system/local (if any) configurations as well.
There is no shortcut way to move stuff from one instance to other.

0 Karma
Reply

Log_wrangler
Builder
‎06-04-2018 08:00 AM

Thank you for the detailed description. I am almost certain I am going to mess this up and lose something.

However, I was wondering... since both my SH(s) are in AWS, could I spin-up a 3rd instance and then cluster/sync them? Then break the cluster apart keeping only one consolidated SH? Would that method assure me that everything was sync-ed up?

Thank you

0 Karma
Reply

somesoni2
Revered Legend
‎06-04-2018 08:10 AM

Migrating from Stand alone instance to cluster would also not be straight forward and you'd have to migrate settings from your currently standalone instance. Besides, you'd need to spin up 3 instances (can't use current instances for SHC unless you do clean install on it). See this for more details on migration from Standalone to SHC.

http://docs.splunk.com/Documentation/Splunk/7.1.1/DistSearch/Migratefromstandalonesearchheads

How many custom apps are there in your stand alone instances?

0 Karma
Reply

Log_wrangler
Builder
‎06-05-2018 08:51 AM

Hi,

I already installed all the apps that I could on SH-A (without 6.3.1 version restriction).

Now I only have 1 custom app, 44 alerts, 20 reports, and 15 dashboards to move from SH-B to SH-A, but I need to upgrade SH-A to 6.6.4 first.

Thanks

0 Karma
Reply

adonio
Ultra Champion
‎06-01-2018 10:35 AM

recommend to verify they are indeed different
also, do not copy or move splunk native apps, if you made any changes in those apps (check especially search and launcher) copy the content of the files that are in the local directory to the new SH

0 Karma
Reply

Log_wrangler
Builder
‎06-04-2018 07:54 AM

Thank you for your reply, looks like I will need to go another route.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...