Too much success with logs
Today, it became clear that the virtual host I created for Splunk to run on was not going to last. After 8 months and 27.1 million events, I decided to move my OpenCanary Splunk instance to a new host.
As the last 8 months have seen the number of OpenCanary instances grow from 1 to 3, I decided to level the playing field and start with a new index.
Tips for migration?
- The datasets I derived for my dashboard enrichment could be run into Search again and saved on the new instance
- The dashboards I was using can be opened in XML. Marvellous!
- Since it is a one-user system and it will likely revert to a no-login free Splunk instance, I changed all assets to be shared to all
This time, more space and a cleaner installation….!
RIP AgentSmith, hello Oracle!
