Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a cluster with an existing indexer without losing its data?

janot
New Member
‎10-16-2014 09:39 AM

Hello,

I have checked all the Splunk documentation and I cannot find any answer to my question (since I think I have a specific use case). I would be very glad if you can help me.

I currently have a Splunk Indexer in v6 which has indexed data for many months now.
Is it possible to create a cluster :
- based on my existing Indexer (node 1)
- by adding a new Indexer (node 2)
- without losing my current data.

Thank you in advance for your help !

Tags (2)
0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎10-20-2014 12:10 PM

Hello. To your point, there is not a recommendation or a specific procedure I can find that takes one existing Splunk indexer and makes a cluster out of it.

Why? That would require taking the known good and functioning production instance and putting it through a major configuration change without a back out option. Migrating an indexer to a cluster node is a one-way process.

Instead, this is a perfect opportunity to roll a full cluster, see it stabilize, learn how to administer it, and get comfortable with the changes to the app distribution process before making major changes to the data collection infrastructure. The existing instance continues working and the users are not impacted. Only after the forwarders/data collection is flipped over to the new cluster do you need to present the old data for searching.

Reply

ekost
Splunk Employee
Splunk Employee
‎10-16-2014 12:17 PM

Yes, you can add a non-clustered indexer to cluster and have the unreplicated data searchable on 6.x versions of Splunk Enterprise. There is a lot to read on the topic of clusters, but you can begin with the topic: Migrate non-clustered indexers to a clustered environment to validate the use case. It's best if there's a working cluster first, and the other indexer is added to the working cluster.

Reply

janot
New Member
‎10-17-2014 01:41 AM

Thank you ekost for your answer.
Unfortunately I am still a little bit confused since my usecase is a little bit different of which exposed in your link.

My usecase is not really adding an Indexer to an existing cluster, but creating a cluster by using my current standalone Indexer and by adding a new Indexer + a Master Node. So it is more a cluster creation based on an existing standalone Splunk architecture than a cluster extension.

I will be very grateful if you could clarify this particular point.

Thank you again.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...