We currently have Splunk running on two separate servers in a distributed search environment. However, we need to eliminate the second server and consolidate Splunk to a single instance. I came across a similar question (Consolidate Databases from multiple splunk instances).
Is this process still the same for Splunk 6? Are there any potential issues with doing this? Existing searches and reports will still need to access the historical data from Splunk 2.
Thanks in advance.
Awesome. I've already moved searches over and have been using them on Splunk 1 so everything should continue to work as expected. I plan on consolidating in the next day or two, so I'll report back. Thanks again!
Thanks. My understanding is that the only thing I would need to do is to redirect traffic to Splunk 1 and then use Shuttl to manage the moving of data from Splunk 2 to Splunk 1. Is this correct? If so, this seems like it may be simpler than I initially imagined.