How to move data from old indexer to new setup?

awendler · ‎10-17-2014

We used to use splunk in a very, very slow and old machine and we have about 9 years of logs on that machine.

We recently moved to a much much nicer 6 server cluster and want to decommission the old machine but do not want to lose those logs.

How can we move the data from the old setup into the new? The smart thing may have been to move it BEFORE powering up the new setup but we did not do that, so now the past 3 months of logs are indexed and stored in the new setup while the old setup has years of data from before that turn on date/

ChrisG · ‎03-12-2015

This is covered in the Managing Indexers and Clusters of Indexers manual. See the topic Move the index database.

vliggio · ‎03-12-2015

This won't take into account conflicting bucket IDs that might exist since the index has been collecting data in the new system.

ChrisG · ‎03-12-2015

Ah, sorry, quite right.

vliggio · ‎03-11-2015

Upgrade the old server to v6, then copy the buckets over to the new server.

This wiki post might help (see the advanced section, since you have existing buckets): http://wiki.splunk.com/Community:MoveIndexes

How to move data from old indexer to new setup?

Free LIVE events worldwide 2/8-2/12Connect, learn, and collect rad prizes and swag!Sign up now >

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >