Migrate a *nix light forwarder
If you want to replace an existing light forwarder with a universal forwarder, you need to first migrate its checkpoint data to the new forwarder. Checkpoint data is internal data that the forwarder compiles to keep track of what data it has already forwarded to an indexer. By migrating the checkpoint data, you prevent the new universal forwarder from forwarding any data already sent by the old light forwarder. This ensures that the same data does not get indexed twice.
You can migrate checkpoint data from an existing *nix light forwarder (version 4.0 or later) to the universal forwarder. For an overview of migration, see "Migrating from a light forwarder" in the Deployment Overview.
Important: Migration can only occur the first time you start the universal forwarder, post-installation. You cannot migrate at any later point.
To migrate, do the following:
1. Stop any services (splunkd and splunkweb, if running) for the existing forwarder:
2. Complete the basic installation of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Do not yet start the universal forwarder.
Important: Make sure you install the universal forwarder into a different directory from the existing light forwarder. Since the default install directory for the universal forwarder is
/opt/splunkforwarder and the default install directory for full Splunk (including the light forwarder) is
/opt/splunk, you'll be safe if you just stick with the defaults.
3. In the universal forwarder's installation directory, (the new
$SPLUNK_HOME), create a file named
old_splunk.seed; in other words:
$SPLUNK_HOME/old_splunk.seed. This file must contain a single line, consisting of the path of the old forwarder's
$SPLUNK_HOME directory. For example:
4. Start the universal forwarder:
The universal forwarder will migrate the checkpoint files from the forwarder specified in the
$SPLUNK_HOME/old_splunk.seed file. Migration only occurs the first time you run the
start command. You can leave the
old_splunk.seed in place; Splunk only looks at it the first time you start the forwarder after installing it.
5. Perform any additional configuration of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Since the migration process only copies checkpoint files, you will probably want to manually copy over the old forwarder's
inputs.conf configuration file (or at least examine it, to determine what data inputs it was monitoring).
Once the universal forwarder is up and running (and after you've tested to ensure migration worked correctly), you can uninstall the old forwarder.
Migrate a Windows light forwarder
Supported CLI commands
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16