Copy index

splunkuzleuven · ‎02-25-2019

I'm looking for a clean way to copy an index or duplicate a data stream withouth having to index it twice.

We have a Splunk production environment, but are setting up a new environment. This one is more development based, but would use some of the data that is running in production.
Seeing we don't want to mix dev and prod, but don't want to index data twice, what would be the best way to make certain data or indexes available to both machines?

We tried a setup with forwarding from the prod machine, and with transform and props we managed to get the correct data to our dev machine, but then the prod machine stopped indexing all together...

skalliger · ‎02-25-2019

First of all a question: Do you really need to copy your indexes to new indexers? If so, do you really think you need new indexers? You could just setup a new search head which points to your existing indexers and do your development from there.

Skalli

splunkuzleuven · ‎02-26-2019

Lets say, not copy the index directly. Just copy the stream of data, but withouth it being indexed twice (don't want to waste volume).
How would I go about doing that withouth having to setup a new server if possible...

I'm open to all suggestions, as long as I'm not wasting license volume.

lakshman239 · ‎02-26-2019

If you want your prod data to be useful/available for dev, without indexing, you only need to setup a search head for dev and point to existing indexers.

Alternatively, on your laptop/dev machine, you can have splunk and eventgen app and config [ taking samples from prod] and do your development.

In both cases, you will need some compute and license/free, but an option.

Copy index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!