Distributed Deployment Manual

 


Migrate a *nix light forwarder

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Migrate a *nix light forwarder

If you want to replace an existing light forwarder with a universal forwarder, you need to first migrate its checkpoint data to the new forwarder. Checkpoint data is internal data that the forwarder compiles to keep track of what data it has already forwarded to an indexer. By migrating the checkpoint data, you prevent the new universal forwarder from forwarding any data already sent by the old light forwarder. This ensures that the same data does not get indexed twice.

You can migrate checkpoint data from an existing *nix light forwarder (version 4.0 or later) to the universal forwarder. For an overview of migration, see "Migrating from a light forwarder" in the Deployment Overview.

Important: Migration can only occur the first time you start the universal forwarder, post-installation. You cannot migrate at any later point.

To migrate, do the following:

1. Stop any services (splunkd and splunkweb, if running) for the existing forwarder:

   $SPLUNK_HOME/bin/splunk stop

2. Complete the basic installation of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Do not yet start the universal forwarder.

Important: Make sure you install the universal forwarder into a different directory from the existing light forwarder. Since the default install directory for the universal forwarder is /opt/splunkforwarder and the default install directory for full Splunk (including the light forwarder) is /opt/splunk, you'll be safe if you just stick with the defaults.

3. In the universal forwarder's installation directory, (the new $SPLUNK_HOME), create a file named old_splunk.seed; in other words: $SPLUNK_HOME/old_splunk.seed. This file must contain a single line, consisting of the path of the old forwarder's $SPLUNK_HOME directory. For example: /opt/splunk.

4. Start the universal forwarder:

   $SPLUNK_HOME/bin/splunk start

The universal forwarder will migrate the checkpoint files from the forwarder specified in the $SPLUNK_HOME/old_splunk.seed file. Migration only occurs the first time you run the start command. You can leave the old_splunk.seed in place; Splunk only looks at it the first time you start the forwarder after installing it.

5. Perform any additional configuration of the universal forwarder, as described in "Deploy a nix universal forwarder manually". Since the migration process only copies checkpoint files, you will probably want to manually copy over the old forwarder's inputs.conf configuration file (or at least examine it, to determine what data inputs it was monitoring).

Once the universal forwarder is up and running (and after you've tested to ensure migration worked correctly), you can uninstall the old forwarder.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 View the Article History for its revisions.


Comments

The universal forwarder is an entirely different executable from the light forwarder, which is just a version of full Splunk, so you would not want to install it into the same directory. Thanks for bringing up that point; I'll clarify the documentation.

Sgoodman
April 12, 2011

Is step 3 above assuming Step 2 used a different $SPLUNK_HOME directory? Why would that be assumed? or does this all apply even if I wanted the new forwarded to have the same homedir as the previous?

Lrhazi
April 11, 2011

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!