We have lost indexed data of some days in clustered indexer. However, data exists in standalone splunk.
How migrate it?
I like the following idea -
-- However, if you just want the old data to be searchable in the new setup, you can add the old instance as a non clustered search peer on the search head.
If on the old standalone instance, no data ingestion is happening, you can just restart Splunk on it, so that all hot buckets will move to warm. Then you can just copy warm and cold buckets to your cluster. Again, if you didn't customize your indexes.conf to roll your hot buckets to warm with span of 24 hr, then a bucket can have data for multiple days. Choosing specific days won't be possible in that case.
If you're not rolling your buckets every single day, it is hard to get the correct buckets of the system.
What I can think off you could do:
1) export the data (in _raw) and reindex it in your cluster OR
2) user the "|collect " command to move ONLY the data you need to a new index on your standalone server. And compy the complete directory of the new index to one of your cluster systems (data won't be replicated, i I remeber it well)