Solved: Can I merge data buckets from multiple indexes or ...

Dan · ‎06-18-2010

Multiple indexes: I had mistakenly created indexes X and Y, and now I want to merge the two data sets.

Multiple indexers: I want to create a Splunk "archive instance" that collects frozen buckets from multiple indexers and treats them as live data. The idea is that users can log in to the archive instance to search across very old data without having to restore it first.

In either case, will it work to just copy buckets from different directories into one?

gkanapathy · ‎06-18-2010

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

View solution in original post

gkanapathy · ‎06-18-2010

Almost. Buckets are named, e.g., hot_v1_42 for hot or db_123457890_1224567890_55 for warm and cold. (The first two numbers are time ranges of the bucket data) And the last one is simply an ID. The ID must be unique within an index, so if you merge buckets from different indexes, you must rename the bucket to change the index to guarantee it's unique in the merged index. And easy way is to just tack a different digit (or set of digits) to the end of the name, e.g., if it comes from source A, then bucket 55 becomes bucket 551, and source B bucket 55 would become bucket 552, etc.

Can I merge data buckets from multiple indexes or indexers?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes