Deployment Architecture

How to migrate Data from One SHC to a new SHC (Including ITSI Correlation Search)?

JohnWilly
Engager

We have an SHC cluster on enterprise Version 7.3.5 & ITSI 4.4. Recently we trigged to upgrade our ITSI from 4.4.X to 4.7.0 and it failed.

It was an generic error message and support was not able to find the root cause.

So we are now trying to build a new SHC in parallel (Same Version as Original one) and connect it to the same Indexer cluster. We want to make sure original cluster is working fine until we are sure that new SHC is an exact replica.

1] Is there an issue having new different SHC connected to a same index cluster?

2] How do we migrate all the data from one SHC to another including the ITSI correlation Search , Dashboards, Lookup table, Entities etc.

3] Upon Migration can we upgrade ITSI to 4.7 and above  on new SHC?

Labels (2)
Tags (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @JohnWilly,

Actually, I didn't use backup/restore for ITSI but it should work if Splunk and ITSI versions are the same on the destination. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @JohnWilly,

1- Since ITSI is using a lot of data models adding a new SHC to the indexer cluster will cause duplicate acceleration tsidx files. This will put an extra load into the system for CPU, I/O and storage space. That's why I would not do it.

2- You can use full backup/restore procedure.  Create a full backup of ITSI

3- Since Splunk Enterprise 7.3.5 supports ITSI 4.7 you should be able to upgrade. But because of backup/restore you may have the same upgrade problem.

My advice is upgrade Splunk Enterprise and ITSI to a supported version.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

JohnWilly
Engager

Hi @scelikok 

Thank you for responding.

Regarding the backup restore option. When we tried to take backup from one SHC and restore on another it was giving some error. Is there any restrictions?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...