Hi all,
We have a relatively small Splunk environment that has 2 Universal forwarders and 1 Indexer on separate servers in the same domain. Our hardware is reaching end of life and as a result we have to migrate to new hardware. This is an environment we only recently took ownership for and the knowledge is not where it should be for a project such as this. As such, I wanted to ask here for some pointers on how to carry out such a project.
We have our new servers. Old servers were Windows Server 2008 R2 and new servers are 2012 R2. We use a service account that has access to all of our servers to run the forwarders rather than having light forwarders on every server. It is an option to not migrate our old buckets, etc. as we mainly use Splunk for live monitoring rather than historical tracking, etc.
Would I be correct in assuming that the ideal (high level) plan would be to backup everything, upgrade the existing Indexer to the latest version of Splunk, copy over the $Splunk home directory to the new server, install Splunk on the new server, check the conf files to make sure the new servers IP, etc is updated where needed and then start Splunk on the new server? We will also be migrating one of our forwarders. Is it possible to do this after upgrading the Indexer server?
Also, in regards to backing out if things go wrong is it as straightforward as turning of Splunk on the new servers and pointing the forwarders back to the old server? If I have forgotten anything please let me know. I am very new to this and am willing to listen to all the advice I can get. Thank you in advance for any replies.
... View more