Deployment Architecture

Can I merge data buckets from multiple indexes or indexers?

Dan
Splunk Employee
Splunk Employee

Multiple indexes: I had mistakenly created indexes X and Y, and now I want to merge the two data sets.

Multiple indexers: I want to create a Splunk "archive instance" that collects frozen buckets from multiple indexers and treats them as live data. The idea is that users can log in to the archive instance to search across very old data without having to restore it first.

In either case, will it work to just copy buckets from different directories into one?

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...