Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I merge data buckets from multiple indexes or indexers?

Dan
Splunk Employee
Splunk Employee
‎06-18-2010 12:09 PM

Multiple indexes: I had mistakenly created indexes X and Y, and now I want to merge the two data sets.

Multiple indexers: I want to create a Splunk "archive instance" that collects frozen buckets from multiple indexers and treats them as live data. The idea is that users can log in to the archive instance to search across very old data without having to restore it first.

In either case, will it work to just copy buckets from different directories into one?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-18-2010 12:39 PM

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-18-2010 12:39 PM

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...