Sorry if this question is elementary but I just stood up a new search head, and then added the existing stand alone environment to it. So now I have 1 SH and then 1 indx that has all other services ran on it.
When I login to the SH to search it works fine. I can see all the indexed data from the indexer and that's fantastic ...but on the new search head when I click on reports ,dashboards, lookups fields, tags, extractions... all those items it took forever to make are not there. Im certain I shouldn't have to manually add. There's a way to copy or clone , replicate from the existing indexer .. how do I fox this? Thank you .
You have been treating your Indexer as a Search Head, which it is, but this is inadvisable and you are right to stop. You need to copy all of your knowledge objects from $SPLUNK_HOME/etc/apps
manually. It should be fine to copy EVERYTHING except for indexes.conf
if that is easiest,
I also Have ITSI (IT Service Intelligence installed) It's also within the app directory but i notice that none of the Services and KPI's show up. Would someone from splunk chime in as to what directories need to be copied over to capture all the services, kpi's etc...
Much Thanks!
You have been treating your Indexer as a Search Head, which it is, but this is inadvisable and you are right to stop. You need to copy all of your knowledge objects from $SPLUNK_HOME/etc/apps
manually. It should be fine to copy EVERYTHING except for indexes.conf
if that is easiest,
You have to copy your App (etc/apps/youapp) into the new search head and then restart Splunk.
Be aware that all the objects in tour app aren't private!
Then verify that the Distributed search in tour new sh is well configured.
Bye.
Giuseppe
if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe