See How configuration changes propagate across the search head cluster in the Distributed Search Manual.

Migrate an existing search head to a search head cluster

An Enterprise Security standalone search head or search head pool member cannot be added to a search head cluster.
To migrate ES configurations to a search head cluster:

1. Identify any custom configurations and modifications in the prior ES installation. Check to make sure there is no
local copy of ess_setup.conf that could conflict with the default one when you deploy Enterprise Security to the
cluster.
2. Implement a new search head cluster.
3. Deploy the latest version of Enterprise Security on the search head cluster.
4. Review and migrate the customized configurations to the search head cluster deployer for replication to the
cluster members.
5. Shut down the old ES search head.

For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk
Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact Splunk Professional Services.

Back up and restore Splunk Enterprise Security in a search head cluster environment

Back up and restore a Splunk Enterprise Security search head cluster (SHC) environment with at least three SHC nodes.
All of the nodes in the SHC must be running the same version of Splunk Enterprise Security. Restoring a SHC
environment might be necessary in the event of a disaster.

Take regular backups from the SHC, so that you have a backup from a time when the environment is healthy. For
example, you could automate taking backups every hour. Choose a frequency of backups based on recovery point
objectives.

To check if your environment is healthy, you can use one of the following methods:

• CLI command: ./splunk show shcluster-status –verbose

• API: /services/shcluster/status?advanced=1

In the output, look for the following fields:

Field Description
dynamic_captain Whether the cluster has a dynamically elected captain.

stable_captain Whether the cluster captain is in a stable state.

service_ready_flag Whether the cluster has enough members to support replication factor.

splunk_version Whether all members, including the cluster master, are running the same Splunk version.

out_of_sync Whether all nodes are currently in-sync.

20