Splunk Search

How to merge two search heads to contain the same apps, alert, reports, dashboards, etc... ?

Builder

I have two sh(s) both contain different apps, alerts, reports, dashboards, etc.

I am going to upgrade SH-A(with 6.3.1 version) to be the same 6.6.4 version as the other SH-B.

After the upgrade, I am moving everything from SH-B to SH-A.

Is there an easy way to cp /opt/splunk from SH-B and merge it with /opt/splunk in SH-A?

Thank you

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

If you're sure that both SH do not have any common knowledge objects/KO (with common name, KO includes apps, saved searches, dashboards, lookups, macros, fields extractions etc), then
1) Things that you can just copy over -
a) Dashboards (xml files within appname/(local/default)/data/ui/views
b) Navigation menus(xml files within app
name/(local/default)/data/ui/nav
c) Lookups (appname/lookups)
d) Scripts (app
name/bin)
c) static contents (appname/appserver ot appname/static)
2) THings that you need to merge (if content of both SH are different, you can just append content of one SH to other SH
a) All .conf files (may be except app.conf, in location appname/(local/default))
b) All .meta files (app
name/metadata)
Apart from etc/apps, you'd need to copy etc/users and etc/system/local (if any) configurations as well.
There is no shortcut way to move stuff from one instance to other.

0 Karma

Builder

Thank you for the detailed description. I am almost certain I am going to mess this up and lose something.

However, I was wondering... since both my SH(s) are in AWS, could I spin-up a 3rd instance and then cluster/sync them? Then break the cluster apart keeping only one consolidated SH? Would that method assure me that everything was sync-ed up?

Thank you

0 Karma

SplunkTrust
SplunkTrust

Migrating from Stand alone instance to cluster would also not be straight forward and you'd have to migrate settings from your currently standalone instance. Besides, you'd need to spin up 3 instances (can't use current instances for SHC unless you do clean install on it). See this for more details on migration from Standalone to SHC.

http://docs.splunk.com/Documentation/Splunk/7.1.1/DistSearch/Migratefromstandalonesearchheads

How many custom apps are there in your stand alone instances?

0 Karma

Builder

Hi,

I already installed all the apps that I could on SH-A (without 6.3.1 version restriction).

Now I only have 1 custom app, 44 alerts, 20 reports, and 15 dashboards to move from SH-B to SH-A, but I need to upgrade SH-A to 6.6.4 first.

Thanks

0 Karma

SplunkTrust
SplunkTrust

recommend to verify they are indeed different
also, do not copy or move splunk native apps, if you made any changes in those apps (check especially search and launcher) copy the content of the files that are in the local directory to the new SH

0 Karma

Builder

Thank you for your reply, looks like I will need to go another route.

0 Karma