Knowledge Management

How to complete Splunk Migration from 3 different instances to a new instance?

Mansi24
Path Finder

Hi Splunkers,

We have to migrate our 3 Splunk instances to a whole different new instance. Since Splunk documentation says copy entire contents of $SPLUNK_HOME$ to the new instance but since we have to move 3 different instances to one we can't to do it for all.

Could you please guide me the ideal way for migration to take place. We need to have all apps and data from all the 3 instances to a newer one. Also how should the hardware requirements should be decided.

Please help!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi Mansi24,
if the three instance have different apps and data it isn't complicated:

  • install Splunk on the new instance,
  • check that in the standard Splunk apps there isn't any knowledge object (eventtypes, fields, etc...) especially in Launcher and Search,
  • if there are, move them in appropriate apps,
  • especially check that all indexes.conf aren't in standard apps,
  • check if there's something that writes logs on main index, if yes move these inputs to a different index (if only one instance, writes logs on main index it isn't important),
  • check if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), don't move them now but after,
  • stop Splunk on old and new instances,
  • copy all the apps from the three old instances in the new one,
  • copy all the not internal indexes from the three old instances to the new one except main index,
  • copy main index only if you have data in only one instance, otherwaise don't copy,
  • restart splunk on the new instance,
  • don't restart the old instances,
  • if there are external imputs related to the old instances (universal Forwarders, syslogs, etc...), move them to the new one,

If instead, there are common apps and data it's more complicated because you have to manually move all the knowledge objects of common apps in a full version of these apps.
For common data, you have to export all of them in text files before stopping old instances and reindex them on the now one.

Ciao.
Giuseppe

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...