Migrate to the new entity schema in Splunk App for Infrastructure

When you restart splunkd after upgrading to version 2.1.0 or later of the Splunk App for Infrastructure (SAI) from a pre-2.1.0 version, the entity migration upgrade to the new entity schema automatically begins. The migration replaces collectors.conf with entity_classes.conf. The new configuration file includes entity classes that are responsible for entity discovery under the new schema. Don't restart splunkd during the automatic migration process.

What happens during the migration

You don't have to do anything for SAI to roll out the new entity schema. While SAI is migrating to the new schema, you can't access any content in the app.

SAI carries out these actions during the migration to the new entity schema:

1. Logs everything to the _internal index.
2. Backs up all /local/ conf files and all local metadata files in metadata/local.meta.
3. Creates a tarball that contains all the backup files at $SPLUNK_HOME/etc/apps/splunk_app_infrastructure/migration_backup.
4. Disables all saved searches and modular inputs that belong to SAI.
5. Disables SAI's REST API, and returns an HTTP 503 status code to all requests.

When the migration is complete, SAI enables all saved searches and modular inputs that belong to it, and enables its REST API.

Delete the old key value store after a successful migration

After the migration is successful, you can delete the key value store (KV store) for the previous entity schema.

What to do if there's a migration failure

There are a couple things that could cause errors during the migration to the new entity schema:

• The new KV store for the new schema could take longer to initialize than SAI expects.
• Orphaned alerts fail the pre-migration process.

You can check the logs with the following search to see if anything went wrong:

index=_internal sourcetype="splunk_app_infrastructure" source=sai_migration_controller.log*