Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to forward from stand-alone server to an index cluster

mykol_j
Communicator
‎04-11-2022 11:23 AM

Sounds easy, eh? I've been using Splunk since v3 -- and I've setup forwarding for servers dozens of times, and migrated countless indexes, but this one is kicking my butt.

I have a stand-alone Splunk server (Enterprise) that's been ingesting data for years in the form of CSV files and providing a front end for analysts. I need to decommission that box and get the data into our main cluster. I setup forwarding from the stand-alone server to feed into a heavy forwarder (that has a thousand other hosts feeding into it) and then into the cluster. It's working insomuch as it forwarded data but only from the last CSV file (back to March 17th, FWIW). I can't simply copy the files into a new index because of the cluster, and I no longer have the previous CSV files to re-ingest (going back to 2009). I've tried clearing the fishbucket hoping to force it to resend everything it knows. It's feeding into an index of the same name. No errors in splunkd.log...

Thoughts?

Thanks!

Michael

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-11-2022 11:42 PM

Hi @mykol_j,

forwarding isn't retroactive.

the only way is extract all data in row format and indexing them again.

It isn't an easy job because you have to take host, index and sourcetype informations from the logs, you can do this manually or with a not immediate override process using regexes or a script.

The only alternative is to copy these indexes in one Indexer, modify eventtypes taking both ond ald new indexes and waiting that the data from the old Indexer will be out of the retention period.

You cannot add the old Indexer to the cluster because also cluster replication isn't retroactive.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-11-2022 11:42 PM

Hi @mykol_j,

forwarding isn't retroactive.

the only way is extract all data in row format and indexing them again.

It isn't an easy job because you have to take host, index and sourcetype informations from the logs, you can do this manually or with a not immediate override process using regexes or a script.

The only alternative is to copy these indexes in one Indexer, modify eventtypes taking both ond ald new indexes and waiting that the data from the old Indexer will be out of the retention period.

You cannot add the old Indexer to the cluster because also cluster replication isn't retroactive.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mykol_j
Communicator
‎04-12-2022 07:50 AM

Grazie Giuseppe,

Not exactly what I wanted to hear, but at least it's an answer.

I guess I'll have to do a giant export, then an import -- ugh, not looking forward to that.

Cheers,

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-12-2022 08:39 AM

hi @mykol_j.

I'm sorry!

In Italy we say "messenger brings no pain"!

Anyway, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...