Splunk Search

How to merge two search heads to contain the same apps, alert, reports, dashboards, etc... ?

Log_wrangler
Builder

I have two sh(s) both contain different apps, alerts, reports, dashboards, etc.

I am going to upgrade SH-A(with 6.3.1 version) to be the same 6.6.4 version as the other SH-B.

After the upgrade, I am moving everything from SH-B to SH-A.

Is there an easy way to cp /opt/splunk from SH-B and merge it with /opt/splunk in SH-A?

Thank you

Tags (2)
0 Karma

somesoni2
Revered Legend

If you're sure that both SH do not have any common knowledge objects/KO (with common name, KO includes apps, saved searches, dashboards, lookups, macros, fields extractions etc), then
1) Things that you can just copy over -
a) Dashboards (xml files within app_name/(local/default)/data/ui/views
b) Navigation menus(xml files within app_name/(local/default)/data/ui/nav
c) Lookups (app_name/lookups)
d) Scripts (app_name/bin)
c) static contents (app_name/appserver ot app_name/static)
2) THings that you need to merge (if content of both SH are different, you can just append content of one SH to other SH
a) All .conf files (may be except app.conf, in location app_name/(local/default))
b) All .meta files (app_name/metadata)
Apart from etc/apps, you'd need to copy etc/users and etc/system/local (if any) configurations as well.
There is no shortcut way to move stuff from one instance to other.

0 Karma

Log_wrangler
Builder

Thank you for the detailed description. I am almost certain I am going to mess this up and lose something.

However, I was wondering... since both my SH(s) are in AWS, could I spin-up a 3rd instance and then cluster/sync them? Then break the cluster apart keeping only one consolidated SH? Would that method assure me that everything was sync-ed up?

Thank you

0 Karma

somesoni2
Revered Legend

Migrating from Stand alone instance to cluster would also not be straight forward and you'd have to migrate settings from your currently standalone instance. Besides, you'd need to spin up 3 instances (can't use current instances for SHC unless you do clean install on it). See this for more details on migration from Standalone to SHC.

http://docs.splunk.com/Documentation/Splunk/7.1.1/DistSearch/Migratefromstandalonesearchheads

How many custom apps are there in your stand alone instances?

0 Karma

Log_wrangler
Builder

Hi,

I already installed all the apps that I could on SH-A (without 6.3.1 version restriction).

Now I only have 1 custom app, 44 alerts, 20 reports, and 15 dashboards to move from SH-B to SH-A, but I need to upgrade SH-A to 6.6.4 first.

Thanks

0 Karma

adonio
Ultra Champion

recommend to verify they are indeed different
also, do not copy or move splunk native apps, if you made any changes in those apps (check especially search and launcher) copy the content of the files that are in the local directory to the new SH

0 Karma

Log_wrangler
Builder

Thank you for your reply, looks like I will need to go another route.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...