I have checked all the Splunk documentation and I cannot find any answer to my question (since I think I have a specific use case). I would be very glad if you can help me.
I currently have a Splunk Indexer in v6 which has indexed data for many months now.
Is it possible to create a cluster :
- based on my existing Indexer (node 1)
- by adding a new Indexer (node 2)
- without losing my current data.
Thank you in advance for your help !
Yes, you can add a non-clustered indexer to cluster and have the unreplicated data searchable on 6.x versions of Splunk Enterprise. There is a lot to read on the topic of clusters, but you can begin with the topic: Migrate non-clustered indexers to a clustered environment to validate the use case. It's best if there's a working cluster first, and the other indexer is added to the working cluster.
Thank you ekost for your answer.
Unfortunately I am still a little bit confused since my usecase is a little bit different of which exposed in your link.
My usecase is not really adding an Indexer to an existing cluster, but creating a cluster by using my current standalone Indexer and by adding a new Indexer + a Master Node. So it is more a cluster creation based on an existing standalone Splunk architecture than a cluster extension.
I will be very grateful if you could clarify this particular point.
Thank you again.
Hello. To your point, there is not a recommendation or a specific procedure I can find that takes one existing Splunk indexer and makes a cluster out of it.
Why? That would require taking the known good and functioning production instance and putting it through a major configuration change without a back out option. Migrating an indexer to a cluster node is a one-way process.
Instead, this is a perfect opportunity to roll a full cluster, see it stabilize, learn how to administer it, and get comfortable with the changes to the app distribution process before making major changes to the data collection infrastructure. The existing instance continues working and the users are not impacted. Only after the forwarders/data collection is flipped over to the new cluster do you need to present the old data for searching.