Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What do I need to do to ensure a clean Splunk migration?

dharveynswccd
Path Finder
‎01-18-2018 05:19 AM

In my environment I have an intermediate universal forwarder (syslog collector) which collects data from multiple sources and sends to this data to the indexers. We are deploying a new server and would like to know the following:
a. What directories need to be copied over to the new server after Splunk is installed.? Does it need to be the entire /opt/splunk directory and will that do the trick?
b. What do I need to do to ensure that the new server is checking in and sending logs to the search heads?

Tags (1)
0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎01-18-2018 12:55 PM

Is this a duplicate syslog server to replace the other system? Are you using a deployment server to manage the intermediate UF? If you use one to remotely manage the forwarder you can add it to all the same server classes as the existing server. Otherwise, once Splunk is installed on the new system you should be able to just copy over /opt/splunk/etc. "Etc" is where your configs reside so as long as the directory structure on your new system is the same as the old server it should pick up on the inputs.

To check on your forwarder status you can check TCP connections and sending volume with this search:

index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* | eval dest_uri = host.":".destPort | stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, dc(dest_uri) as dest_count, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as new_avg_tcp_kbps_sparkline, avg(tcp_KBps) as new_avg_tcp_kbps, avg(tcp_eps) as new_avg_tcp_eps by guid, hostname

You can just search for the specific host to see that it is checking in and sending data. It might also be a good idea to check what sourcetypes your forwarder is sending on the specific forwarder so you can validate they are all being received from the new server as well.

0 Karma
Reply

dharveynswccd
Path Finder
‎01-19-2018 06:26 AM

Thanks for the tip. Much appreciated

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...