Deployment Architecture

Move a VM Search Head to a new physical server

sgarvin55
Splunk Employee
Splunk Employee

Current search head is on a VM. I have set up a new search head now which is on a physical server. Both have search peers set up correctly. The current VM search head has all of the user-specfiic settings, dashboards, searches, views, etc configured. The new physical search head does not.

What specific files do I need to move from the first search head (VM) to the second search head (physical)? (that is, which files under $SPLUNK_HOME/etc need to be moved, and are there any files NOT under $SPLUNK_HOME/etc which need to be moved?

Also, the first Search head is also the license server. What is the best way to move the license over from the first search head to the second and then remove from the first? Do make the second search head the license master, install license there, then re-point my indexers to the new server?

Tags (2)

Damien_Dallimor
Ultra Champion

Have you considered setting up search head pooling using shared storage(NAS, clustered storage etc..) ?

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

Each Search Head has its own private copy of $SPLUNK_HOME/etc/system.

Search Head Pooling allows for synchronized sharing of $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps via shared storage.

Authentication(local, LDAP etc..) must be setup on each Search Head individually.

  • $SPLUNK_HOME/etc/system/local/authorize.conf
  • $SPLUNK_HOME/etc/system/local/authentication.conf
  • $SPLUNK_HOME/etc/passwd (if using local authentication)

Alternatively to setting up pooling as detailed above , you could "rsync" between your 2 Search heads to keep $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps synchronized and the auth related config files in sync.

Regarding the License Server refactoring , I haven't done a migration as you describe, but I don't see any caveats with your approach.

I'll just add that I prefer to use a DNS CName for my Splunk License Server so that I don't need to update my license client's "master_uri" value if I were to move the license server to a new host, I can just update the DNS CName record.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...