Migration from Windows Single Instance Deployment to Small Enterprise Distributed Deployment


The scenario is the following: I work for a small company that installed Splunk initially for a small user base as a standalone deployment. The demand as expanded to multiple departments and we need to convert to a distributed deployment. The deployment would be one dedicated search head, and one indexer.

My question is would this work for a conversion process?
1: Enable Index Clustering on current standalone instance.
2: Make the current standalone instance as a master node.
3: Bring up new indexer as a peer node.
4: Replicate the data from standalone to new indexer
5: Make new indexer the master node
6: Convert current standalone to dedicated search head.

Is this a valid process?

Is there a reason, such as storage limitations, that you need to migrate the data off the existing stand-alone instance? The obvious easy path I see is to stand up the new server as a search head, and convert your existing instance into a an indexer.

The issue with your current process is that your existing indexed data buckets are not "clustered" buckets, and will not replicate.

More info at this link:

