https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/654939#M111002 <P>Hi</P><P>basically you could try to copy those from prod node. Here is an old post about it&nbsp;<A href="https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true" target="_blank">https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true</A></P><P>You should change needed configurations after copy as you want this to be a different host &nbsp;also you should copy only needed indexes or remove those after rsync.</P><P>r. Ismo</P><P>&nbsp;</P> Fri, 18 Aug 2023 20:31:58 GMT isoutamo 2023-08-18T20:31:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/654924#M111001 <P>I have a Splunk container for development (Dev).&nbsp; I want to import a slice of data from one index of my production Splunk (Prod) to this container so I can write searches against that data exactly as it appears in Prod.&nbsp;</P><P>Using Export on Prod and Import on Dev is not producing my desired outcome.&nbsp; Doing this as a single file with a single indexing is creating logs that are indexing the container hostname as the host not the host of the data itself.&nbsp; The data in the Prod index is of varying sourcetypes so the import is also only creating the sourcetype of the import file, not tha sourcetype from the data itself.&nbsp;</P><P>I'm looking at possibly using the&nbsp; EventGen app but not sure if this will do what I'm trying to do.</P><P>Is what I'm doing possible?&nbsp; I do not want the entire prod index. I do not want to rsync or otherwise go to the backend to move data.&nbsp;&nbsp;</P><P>EDIT: I modified the title, it seems I want the raw data and metadata to all come over in one package?</P> Fri, 18 Aug 2023 18:22:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/654924#M111001 deepdive100 2023-08-18T18:22:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/654939#M111002 <P>Hi</P><P>basically you could try to copy those from prod node. Here is an old post about it&nbsp;<A href="https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true" target="_blank">https://community.splunk.com/t5/Installation/How-to-migrate-indexes-to-new-indexer-instance/m-p/528064/highlight/true</A></P><P>You should change needed configurations after copy as you want this to be a different host &nbsp;also you should copy only needed indexes or remove those after rsync.</P><P>r. Ismo</P><P>&nbsp;</P> Fri, 18 Aug 2023 20:31:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/654939#M111002 isoutamo 2023-08-18T20:31:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/655335#M111038 <P>So it seems the way forward for me is to write some scripts to pull down `index=app host=each_host sourcetype=each_sourcetype` for a specific time block, export them with the hostname in the title and import each with the hostname widget set to the filename.&nbsp; One script of API calls with the variables on the hosts and sourcetype should do it.&nbsp; Will try it out and update here</P> Wed, 23 Aug 2023 13:53:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recreate-partial-index-data-with-metadata-on-different/m-p/655335#M111038 deepdive100 2023-08-23T13:53:57Z