Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Move a VM Search Head to a new physical server

sgarvin55
Splunk Employee
Splunk Employee
‎01-09-2012 01:14 PM

Current search head is on a VM. I have set up a new search head now which is on a physical server. Both have search peers set up correctly. The current VM search head has all of the user-specfiic settings, dashboards, searches, views, etc configured. The new physical search head does not.

What specific files do I need to move from the first search head (VM) to the second search head (physical)? (that is, which files under $SPLUNK_HOME/etc need to be moved, and are there any files NOT under $SPLUNK_HOME/etc which need to be moved?

Also, the first Search head is also the license server. What is the best way to move the license over from the first search head to the second and then remove from the first? Do make the second search head the license master, install license there, then re-point my indexers to the new server?

Tags (2)
Reply

Damien_Dallimor
Ultra Champion
‎01-09-2012 07:24 PM

Have you considered setting up search head pooling using shared storage(NAS, clustered storage etc..) ?

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

Each Search Head has its own private copy of $SPLUNK_HOME/etc/system.

Search Head Pooling allows for synchronized sharing of $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps via shared storage.

Authentication(local, LDAP etc..) must be setup on each Search Head individually.

  • $SPLUNK_HOME/etc/system/local/authorize.conf
  • $SPLUNK_HOME/etc/system/local/authentication.conf
  • $SPLUNK_HOME/etc/passwd (if using local authentication)

Alternatively to setting up pooling as detailed above , you could "rsync" between your 2 Search heads to keep $SPLUNK_HOME/etc/users and $SPLUNK_HOME/etc/apps synchronized and the auth related config files in sync.

Regarding the License Server refactoring , I haven't done a migration as you describe, but I don't see any caveats with your approach.

I'll just add that I prefer to use a DNS CName for my Splunk License Server so that I don't need to update my license client's "master_uri" value if I were to move the license server to a new host, I can just update the DNS CName record.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...