Spread our blog

How To Migrate Splunk Without Stopping Splunkd( Using RSYNC command)

Hi Guys!!!
We all know about the migration concept more or less. Migrating means moving Splunk from one server,OS, filesystem to another, maintaining all the data, configuration and users. Migrating Splunk is not like upgradation. In the upgradation, we just install a newer version of Splunk on the top of the older one.
There are several reasons for migration. Below we have mentioned some of those reasons.
1) If you want to decommission a server where Splunk is currently running.
2) If you want to move to another OS. Because of either your organization doesn’t support or Splunk is no longer supports.
3) If you want to switch your OS ( from unix to windows or vise versa).
4) If you want to move the Splunk installation to the different file systems.
5) etc.

Steps for Splunk migration :
1) Stop Splunk Enterprise on the host from which you want to migrate.
2) You can tar or zip the $SPLUNK_HOME directory.
3) Copy the entire contents(tar or zip ) of the $SPLUNK_HOME directory from the old host to the new host.
4) Also, choose the appropriate location where you want to install the Splunk
5) Then you can untar the tar or zip file.
6) Start Splunk Enterprise on the new instance.
7) Log into Splunk Enterprise with your existing credentials.
8) After you log in, confirm that your data is intact by searching it.

But as you can see in the above steps there is a downtime for the Splunk migration. Most of the company doesn’t support this process.
Now today we will show you how to migrate Splunk without stopping the Splunkd service. So the advantage is there will be no downtime for the migration. Follow the below steps to achieve that thing.
Let’s say we want to migrate Splunk from sh(10.142.0.4) to new-sh(10.128.0.3 ).

r1(1)

Now open the GUI of Splunk in the current server which is sh.
See its working fine.

You can also know about :  HTTP Event Collector(HEC) in Splunk

r1

Step: 1
Now login to the sh server(10.142.0.4) from where you want to migrate Splunk.

r2

See the status of the Splunk by the following command.

$SPLUNK_HOME/bin/splunk status

r3

Also, see the current version of the Splunk which is running on this server by using the below command.

$SPLUNK_HOME/bin/splunk --version

r4

Step: 2
You have to configure the ssh. We have a user called splunk. We have to give access to splunk so that we can connect this server from a remote serverver. For that, you have to edit sshd_config file.
You can edit that file by using the below command.

r5
Also, you have to add two lines in that file to give access to the user called splunk.

r6
After that you have to restart the sshd service.

r7
NOTE : For performing Step 2 you have to contact the system admin because for performing these steps you need the admin privileges.

Step 3:
Now login to the new-sh(10.128.0.30) server where you want to migrate the existing Splunk Enterprise. And go to that directory where you want to install the Splunk.

r8

r9

Step 4:
Download the same version of the Splunk which is running in the sh(10.142.0.4) server.

r10
Step 5:
Untar the .tgz file.

r12

r13

Also change the ownership of the splunk directory.

r14
Step 6:
Install the Splunk and start it.

r15

r16

Check the status by using the following command.

$SPLUNK_HOME/bin/splunk status

r17
Once you cross-check the version whether you have installed the same version of Splunk or not.

$SPLUNK_HOME/bin/splunk --version

r18
Step 7:
Now we will migrate Splunk without stopping Splunkd.
You the below command to migrate the Splunk from one server to another server.

# rsync -av splunk@10.142.0.4:/opt/splunk /opt

r19

Now give the password of the user called splunk . Password will be the old server’s password.

You can also know about :  Splunk Btool

r20

Step 8:
Splunk will be migrated to this new server. Once cross-check everything is working fine then you can decommission the old server.

r21

As you have seen we didn’t stop the Splunkd on the old server.
Hope this will help you a lot in the migration process.
Happy Splunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
1
+1
+1

Spread our blog

10 COMMENTS

  1. Can you please explain the migration process for indexers ? I think this process doesn’t suits for Indexer migration.

  2. it is similar and after completing the migration you need to follow indexer decommission process and wait for that indexer to shutdown gracefully

  3. A few questions..

    what is your plan for /opt/splunk/etc/instance.cfg? won’t these new splunk instances have the same GUID as the old splunk instance?

    What is your plan for /opt/splunk/etc/system/local/server.conf? won’t these new splunk instances try to reach the old index master that is still running, or maybe they’ll be confused?

LEAVE A REPLY

Please enter your comment!
Please enter your name here