From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Relocating a 3.4.x Splunk instance

With Splunk stopped, copy the $SPLUNK_HOME directory and all its contents to the new location. If you have configured a different index location outside $SPLUNK_HOME, copy that directory as well. All files must be owned by the user that runs Splunk, but do not change the file permissions.

If necessary, update with the new information:

  • SPLUNK_HOME and SPLUNK_DB paths in etc/splunk-launch.conf
  • Hostnames defined for all data inputs at the top of any inputs.conf files
  • Explicitly defined hostnames or other items configured by props/transforms rules
  • Hardcoded paths or hosts in any scripted inputs
  • Hardcoded paths or hosts in any alert or coldToFrozen scripts

If using deployment server, the clients will need to be updated from there and new bundles pushed.

Start the instance and verify correct operation.

Note: Existing events with hosts or pathnames cannot be changed. New events will use the new values.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk