Solved: Splunk Migration to another server

terryjohn · ‎06-03-2014

We're running Splunk V4.3 on a Centos 5 server and we want move to Splunk 6 running on a different server running Centos 6.

We're moving to Splunk V6.04 to start with as it seems you can't upgrade to V6.1 from V4.3 in one go.

It's important we maintain our historical data so we need to export the data from the old Splunk version to the new version. I've seen lots of information on how to upgrade Splunk and exporting data but nothing that matches our needs to export, import and upgrade.
Our significant apps are *Nix, OSSEC, Snort and Eqalis. I know Snort is only certified for V5 but have been assured it will run on 6.

I just need to know what steps I need to take for this upgrade and whether the exported data from the apps will be of the right format to bring into the New Splunk version

rtadams89 · ‎06-03-2014

Probably the easiest thing to do while minimizing downtime is to:

1) Perform incremental rsync jobs to copy the entire Splunk install directory to the new server.
2) Once mostly synced up, stop Splunk on the old server and do one last rsync to make sure the servers are 100% in sync.
3) Edit the server.conf and inputs.conf in the etc/system/local directory of the new server to reflect the new server name and any other parameters you may want to change.
4) Start up Splunk on the new server and make sure it is functioning as expected (receivign data, allowing searches, etc)
5) Update the new server's Splunk install via the upgrade documentation.
6) Once everything is confirmed working, decom the old server.

View solution in original post

rtadams89 · ‎06-03-2014

Probably the easiest thing to do while minimizing downtime is to:

1) Perform incremental rsync jobs to copy the entire Splunk install directory to the new server.
2) Once mostly synced up, stop Splunk on the old server and do one last rsync to make sure the servers are 100% in sync.
3) Edit the server.conf and inputs.conf in the etc/system/local directory of the new server to reflect the new server name and any other parameters you may want to change.
4) Start up Splunk on the new server and make sure it is functioning as expected (receivign data, allowing searches, etc)
5) Update the new server's Splunk install via the upgrade documentation.
6) Once everything is confirmed working, decom the old server.

rtadams89 · ‎06-03-2014

You can do that too. Just install Splunk from scratch on the new server, then merge the indexes. See http://wiki.splunk.com/Community:MoveIndexes and http://answers.splunk.com/answers/32176/is-it-possible-to-migrate-indexed-buckets-to-a-different-ind...

This is much more work, and possibly messier.

terryjohn · ‎06-03-2014

I was hoping to avoid that route, complete with old apps that would have to be updated individually on a new version of Splunk. I'd hoped that I could get a new Splunk instance with all the latest versions of apps running then import the old data

somesoni2 · ‎06-03-2014

One additional configuration change required will at the forwarders to point to new server, unless a DNS alias is used.

Splunk Migration to another server

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM