Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Consolidating Splunk servers

sc0tt
Builder
‎12-30-2013 06:59 AM

We currently have Splunk running on two separate servers in a distributed search environment. However, we need to eliminate the second server and consolidate Splunk to a single instance. I came across a similar question (Consolidate Databases from multiple splunk instances).

Is this process still the same for Splunk 6? Are there any potential issues with doing this? Existing searches and reports will still need to access the historical data from Splunk 2.

Thanks in advance.

0 Karma
Reply

treinke
Builder
‎12-30-2013 07:05 AM

You might want to look at using Shuttl to move the data from the second server to the first.

Shuttl:
http://apps.splunk.com/app/1195/

There are no answer without questions
Reply

sc0tt
Builder
‎01-05-2014 01:52 AM

FYI - After following up with Splunk it appears that the most recent version of Shuttl is not compatible with Splunk 6. However, manually copying the bucket folders should be simple enough.

0 Karma
Reply

sc0tt
Builder
‎12-30-2013 07:48 AM

One more question - do you know if Shuttl is compatible with Splunk 6? On the app page it only shows 5.0 and 4.3.

0 Karma
Reply

sc0tt
Builder
‎12-30-2013 07:45 AM

Awesome. I've already moved searches over and have been using them on Splunk 1 so everything should continue to work as expected. I plan on consolidating in the next day or two, so I'll report back. Thanks again!

0 Karma
Reply

treinke
Builder
‎12-30-2013 07:36 AM

Correct. If you have any saved searches on server you would need to move them over also, but Shuttl really makes the process easier.

There are no answer without questions
0 Karma
Reply

sc0tt
Builder
‎12-30-2013 07:31 AM

Thanks. My understanding is that the only thing I would need to do is to redirect traffic to Splunk 1 and then use Shuttl to manage the moving of data from Splunk 2 to Splunk 1. Is this correct? If so, this seems like it may be simpler than I initially imagined.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...