getting my existing index into preview

Preview is out the door, woohoo! So up here in support I’m busy with the existing versions so I hadn’t checked out many of the new features. I wanted to mess with real data I care about, so I figured I’d copy my existing index and drop it into my splunkpreview directory. I host a handful of domains at home (on Leopard Server) and I’m using Splunk to watch various things I want to know, like who’s commenting on my blog and how many dictionary attacks I’ve had today. I thought it would be nifty to look at the same data in both 3.1.3 (my current production version) and preview.

The first time I tried it, I thought I’d be clever and set it all up before first startup with my whole index, users, saved searches and basically everything. Because, well, I clone this stuff all the time between 3.1.x versions when I’m setting up repro environments for customer issues. Wrong! Not sure what I forgot, but for my efforts I got a nice big segfault. Well, nothing a little rm won’t fix.

Take two. This time I installed preview plain and made sure it was up and running. I made myself a new admin user, deleted the default admin/changeme one so it was set up (mostly) like my original. Then I shut down both instances. I did clean all on the new one (very important to confirm you are in the right window!) and then copied over the contents of $SPLUNK_HOME/var/lib/splunk/defaultdb and fishbucket. defaultdb because that’s my main index and fishbucket so (in theory) when I start indexing it will pick up where it left off and not forget what happened before. I also moved inputs.conf, props.conf, transforms.conf and savedsearches.conf. Copying over savedsearches only worked because I knew my new user had the same uid as the original one, being created second.

Started it up and look! There’s all my stuff! Each is continuing to index the same sources, so the event counts don’t always match exactly but other than that it’s a clone of the original.

