If you are on windows to windows (32bit to 64 or 64bit to 64bit)
Here are the steps :
Stop the old instance, stop the new instance
redirect the forwarder to the new instance (or not if you use the same ip/uri)
backup the full $SPLUNK_HOME\etc\folder
move to the equivalent folder
the auth and ssh keys : $SPLUNK_HOME\etc\auth (that also contains the secret key for password encryption)
the user password : $SPLUNK_HOME\etc\passwd
the apps $SPLUNK_HOME\etc\apps\
the local configuration $SPLUNK_HOME\etc\system\local
( eventually modify the server.conf and inputs.conf from ...\etc\system\local that contain the hold hostname )
the users folders $SPLUNK_HOME\etc\users
on the original move the indexes
check in indexes.conf to see the path of all your indexes, the default is using a dynamic path $SPLUNK_HOME\var\lib\splunk\
If they are hard coded as c:\program files\splunk\var\lib\splunk\... then change them to the new location
- double check the permissions on the files.
- restart the new indexer and verify that all is working, and searchable
... View more