Installation

Please advise on proposed process to upgrade Splunk 6.1 to a new Linux server.

royimad
Builder

I will be moving an existing Splunk installation (and all the data, inputs and customizations, etc.) over to a new server (Linux to Linux same platform and same architecture) and perform an upgrade to 6.1 and from what I gathered from all the documentation, the process would be this:

  • Stop Splunk Enterprise 5.0 on the server from which you want to migrate.
  • Copy the entire contents of the $SPLUNK_HOME directory from the old server to the new server – All my indexes and data reside under $SPLUNK_HOME
  • Create Splunk user and install Splunk 6.1 on target platform under same location and directory structure of the copied files - Extract 6.1 downloaded splunk-6.1.3-220630-Linux-x86_64.tgz directly over the copied files on the new system
  • Start Splunk Enterprise on the new instance - Splunk Enterprise detects whether you are migrating and prompts you on whether or not to upgrade at this time, answer by yes.
  • Start command should migrate the license to the new server: $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Are we missing something in the process.
Please advice

Labels (2)
Tags (3)
1 Solution

srioux
Communicator

Most of it looks good. That said, here are a few things, off the top of my head:

  • Generally you would want to create backups, although you could use the old server as the "backup" for config files/data-wise.
  • Make sure to chown all the right directories/files, as needed.
  • Not sure how distributed the architecture is, or how everything would be configured. I generally advise to use a DNS alias for the Splunk server; that way, if you migrate (as you're doing now), nobody has to update their bookmarks. There may be communications to consider around this, depending on your user-base (and update internal docs, bookmarks, and wherever else you might've documented it).
  • If you're using SSL, but changing the URL of Splunk, might need to get a new cert generated/signed for it.
  • If you're using forwarders, you may need to update outputs.conf across forwarders to send to the new box. This may be alleviated through centralized management, such as the deployment server.
  • Not sure what your security landscape looks like, but make sure that firewalls (local or network), or any other security in place would take into account the new system.
  • If you're using a separate license server, make sure that the server's added to the license pool. Even if it's all running on the same box, I'd definitely mark it as a "validation" point.
  • Consider enabling boot-start, if you want Splunk to fire up on boot ($SPLUNK_HOME/bin/splunk enable boot-start).

View solution in original post

srioux
Communicator

Most of it looks good. That said, here are a few things, off the top of my head:

  • Generally you would want to create backups, although you could use the old server as the "backup" for config files/data-wise.
  • Make sure to chown all the right directories/files, as needed.
  • Not sure how distributed the architecture is, or how everything would be configured. I generally advise to use a DNS alias for the Splunk server; that way, if you migrate (as you're doing now), nobody has to update their bookmarks. There may be communications to consider around this, depending on your user-base (and update internal docs, bookmarks, and wherever else you might've documented it).
  • If you're using SSL, but changing the URL of Splunk, might need to get a new cert generated/signed for it.
  • If you're using forwarders, you may need to update outputs.conf across forwarders to send to the new box. This may be alleviated through centralized management, such as the deployment server.
  • Not sure what your security landscape looks like, but make sure that firewalls (local or network), or any other security in place would take into account the new system.
  • If you're using a separate license server, make sure that the server's added to the license pool. Even if it's all running on the same box, I'd definitely mark it as a "validation" point.
  • Consider enabling boot-start, if you want Splunk to fire up on boot ($SPLUNK_HOME/bin/splunk enable boot-start).

royimad
Builder

I'm using SSL and change the URL of Splunk , do i need to get a new cert generated ???

0 Karma

srioux
Communicator

I would assume so, but you'd have to check your cert. The certificate might be tied to the system's URL.

Lots of documentation on the wiki & official Splunk docs on certs, if needed:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Security/Howtogetthird-partycertificates

0 Karma

srioux
Communicator

As it so happens, there's a stack of stuff on the Splunk wiki as well:
http://wiki.splunk.com/Deploy:Migrating_a_Splunk_Install

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...