Deployment Architecture

Can I merge data buckets from multiple indexes or indexers?

Dan
Splunk Employee
Splunk Employee

Multiple indexes: I had mistakenly created indexes X and Y, and now I want to merge the two data sets.

Multiple indexers: I want to create a Splunk "archive instance" that collects frozen buckets from multiple indexers and treats them as live data. The idea is that users can log in to the archive instance to search across very old data without having to restore it first.

In either case, will it work to just copy buckets from different directories into one?

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...