We have a single node splunk enterprise cluster. The version we are running is on 6.4.4. This single instance acts as master, search head and also indexer. The data got indexed in intervals from HDFS.
Now that data size is growing rapidly, we are planning to get away from single node mode to cluster mode.
Any pointers how could we proceed from a single host to multi mode by distributing all configurations , dashboards and legacy indexed data.
Types of Splunk Deployments
Index Clustering - Tons of info/links that branch into more info all over this page
Things I wish I knew then - This has some useful all around info
Decide on FIPS before starting the upgrade/migration
The toughest part for me was when I upgraded to an indexer cluster, I wasn't able to bring over the indexed data from the stand alone. There is a complex option of renaming bucket GUIDs to match the new GUIDs structure but I didn't go that route. I was able to search the standalone from the new SH but once I turned off the old Splunk I lost the data. Oh and create a deployment plan filling in all of your decision points and formula/values/IPs/IndexNames/Forwarders/etc, pass4symkey and other items .. this was invaluable.
You would effectively be going from a Splunk instance as serach head / indexer to a dedicated search head and a dedicated indexer, you could also go to a search head cluster or indexer cluster...depending on how much growth you expect you might want to build an indexer cluster...
You should probably read Deploy a distributed search environment .
I can see two obvious choices:
If you make the existing search head / indexer the new indexer, no problems with attempting to move data around, but you would need to attempt to migrate all the search related configuration.
Migrate from a standalone search head to a search head cluster might help here, it explains migrating to a search head cluster however it does tell you which files you need to find, and therefore you could find/move them to your new search head.
Alternatively if you keep the current search head as the search head, you have to migrate the indexer data as per Migrate a Splunk Enterprise instance
Personally I'd build the new indexer and move the data, but you will need a development environment to test this in, it's not the easist thing to do...