I'm looking for a clean way to copy an index or duplicate a data stream withouth having to index it twice.
We have a Splunk production environment, but are setting up a new environment. This one is more development based, but would use some of the data that is running in production.
Seeing we don't want to mix dev and prod, but don't want to index data twice, what would be the best way to make certain data or indexes available to both machines?
We tried a setup with forwarding from the prod machine, and with transform and props we managed to get the correct data to our dev machine, but then the prod machine stopped indexing all together...
First of all a question: Do you really need to copy your indexes to new indexers? If so, do you really think you need new indexers? You could just setup a new search head which points to your existing indexers and do your development from there.
Lets say, not copy the index directly. Just copy the stream of data, but withouth it being indexed twice (don't want to waste volume).
How would I go about doing that withouth having to setup a new server if possible...
I'm open to all suggestions, as long as I'm not wasting license volume.
If you want your prod data to be useful/available for dev, without indexing, you only need to setup a search head for dev and point to existing indexers.
Alternatively, on your laptop/dev machine, you can have splunk and eventgen app and config [ taking samples from prod] and do your development.
In both cases, you will need some compute and license/free, but an option.