Deployment Architecture

Search Head - migrating apps, views and users from indexer

ruiaires
Path Finder

I'm going from a single server installation to a Search Head + Indexer setup.

I've managed to install and setup the Search Head but now I would like to migrate everything (except the indexes) to the search head, that is:

  • Users, Roles and Authentication config
  • Apps, Searches, Reports and Views
  • Macros, Extracted Fields and Lookups

Basically, the only thing that stays in the original server is the actual indexes (and indexes.conf of course) since the plan is to have users use JUST the Search Head.

All the documentation talks about is the knowledge bundle but, at this moment, all the "knowledge" is in the indexer...

It seems that I should copy (almost) the entire(?) $SPLUNK_HOME/etc to the search head but I can't find anything on the documentation about this.

0 Karma

asetiawan
Explorer

What I would do:

User, roles, authentication:
- Copy $SPLUNK_HOME/etc/passwd (your user-password-roles pair)
- Copy authorize.conf from $SPLUNK_HOME/etc/system/local/ (your roles definition)

App/searches/Views. Locate your apps on $SPLUNK_HOME/etc/apps/
If you do everything in "search" app, don't copy the search app folder completely as it might give you headache later on when you upgrade. I'll do the following inside of the search app:
- copy your "local" folder (it has your searches, views, macros, lookups)
- copy metadata/local.meta if you want to preserve who owns what searches (it's not important)

For other apps that you have created from barebone template, you can simply copy over the whole app folder.

This works well in my experience.

bmacias84
Champion

Build all your configs, Macros, Field Extractions and lookups into apps like SearchHead_App, Indexer_app, Athentication_app. Then use Deployment Server

0 Karma

I-Man
Communicator

Copying the entire etc folder to the new instance would probably work (in my experience) although you may run into issues depending on what kind of config changes you have made. If i were you i would install fresh on each server, and copy the etc/apps directory to the Search Head, most apps shouldn't be necessary on the indexer (correct me if im wrong). And then copy /etc/system/local to both the indexer and search head. You will have to do some manual changes on these configs as each server has different roles, one searching, one just indexing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...