Splunk Search

How to migrate search app content from an old Splunk instance to new search head cluster members using the deployer?

Raghav2384
Motivator

Experts,

We have a Splunk instance which is 3 years old and need to migrate the content to new search head cluster. We have pushed all the custom apps through the deployer. Questions is, how to push the old search app's content to the new search head cluster members using the deployer? I know we have to create a TA in the shcluster/apps directory, but it for some reason, it doesn't like to push the search app. Also, what's the best way to deploy /etc/users/ from the old standalone Splunk search head to the new SHC using the deployer? Just copy all the user directories and place them under /shclusters/users/? This deploying search content is a little confusing to me.

Thanks in advance,
Raghav

1 Solution

hgrow
Communicator

hgrow
Communicator

Hi Raghav,

if you havn't read it already this might help you:

http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Migratefromstandalonesearchheads

Greetings

Raghav2384
Motivator

Hi @hgrow,

Thank you for your reply. I did go through the documentation. I learnt that search app has be renamed before pushing to the shc and leave local/* out of it.

Thank you for your time

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...