I need to upgrade a forwarder from a universal to a heavy weight one. Now I could just blow away my instance and start again however that would mean that all the data from the files would be resent. I don't want to change the inputs.conf with followTail as these are not under my control. So could just copy my old fish bucket to the new installation and it would work?
We want to upgrade a splunk universal forwarder to heavy forwarder and also it should have the same fishbucket the universal forwarder contains.
After upgrade the heavy forwarder should start reading data from point where universal forwarder stopped.
Would the following method work?
Biggest concern is if we can copy the fishbucket database from UF to the HWF.
According to the folks at Hurricane Labs, the above method/steps should work:
https://vimeo.com/139620964
Given that a universal fowarder installs to /opt/splunkforwarder (or seems to in the system I am looking at for example) I believe a universal forwarder configuration can live alongside a heavy forwarder.
One problem is that /etc/init.d/splunk would get changed to point to the heavy fowarder in /opt/splunk so making certain that the universal forwarder is shut down before installing/configuring the heavy forwarder seems the way to go.
This is what I'm planning on doing with a syslog forwarder.
When it comes to the configuration files, you should be able to copy them from one to the other.
First you should stop the forwarder and copy the entire home directory as a backup.
Install the heavy forwarder on top of the universal forwarder if you can - I've never done it, so I'm not sure that works.
Populate the local folders with those from your Universal Forwarder backup.
Copy the fish bucket to the correct location on the heavy forwarder. So long as you are not switching from 32 to 64 bit it should not be a problem.
If the Heavy Forwarder installs to a new splunk_home, then unistall the Universal Forwarder.