topic Re: Merge indices to one index in Getting Data In

Merge indices to one index

chrisitanmoleck — Mon, 21 Aug 2017 12:16:37 GMT

Hello,

we have a lot of indices with low amount of data (some MBs).
So I want to merge some indicies to one.

e.g:
Foo -> FooBar
Bar -> FooBar

How is that feasible?

Re: Merge indices to one index

niketn — Mon, 21 Aug 2017 12:25:43 GMT

Seems like you need to use collect command.

Refer to the following documentation

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect#Moving_events_to_a_different_index

Refer to the video tutorial to understand the concept of summary indexing: https://www.splunk.com/view/SP-CAAACZW

Re: Merge indices to one index

DalJeanis — Mon, 21 Aug 2017 13:50:23 GMT

Ummm.... why?

If it's just for search time convenience, consider adding the same tag to each index as per this one...

https://answers.splunk.com/answers/123629/add-an-alternative-name-as-an-extra-index-identifier.html

Then, for cleanup purposes, create your new index, tag THAT index with the same tag, and redirect all indexing on the low-volume indexers to the new index. The data on the old indexes will roll off over time, cleaning up your system without you having to muck about with actually moving the old data.

Re: Merge indices to one index

chrisitanmoleck — Mon, 21 Aug 2017 14:11:11 GMT

If I do it with collect and deactivate the old index, I can't find the moved data.
host=foo
has no result.

Otherwise index=bar has the correct results

Re: Merge indices to one index

kdimaria — Mon, 21 Aug 2017 14:17:28 GMT

You can go into settings -> Indexes and create a new index. (FooBar) Then, you can use the collect command to move all the data to the new index.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Collect

Re: Merge indices to one index

chrisitanmoleck — Wed, 23 Aug 2017 13:01:14 GMT

If you want to copy data with the collect-command you should also add informations to host, sourcetype and source.
Otherwise these fields get a splunk-internal name.

index="foo" | collect index="bar" host="bar1" source="bar2" sourcetype="bar3"