Solved: How to migrate an index from a single instance to ...

ranjitbrhm1 · ‎08-01-2018

hello everyone

I have a fortinet index that I would like to migrate to a 2 instance cluster ( one is having the data other indexer is not having the data). I have the following files on my indexer folder

colddb
datamodel_summary
db
thaweddb

I have tried copying the guide and renaming the file to

colddb_XXXX
datamodel_summary_XXXX
db_XXXX
thaweddb_XXXX

When I start Splunk back again nothing gets clustered instead it just creates new folders and does nothing. Can anyone tell me what I am doing wrong here?
Thanks

dxu_splunk · ‎08-01-2018

for data you want to become clustered, you'll want to rename the folders inside these folders (db/ colddb/ datamodel_summary/) into its clustered version. for example.

db/db_A_B_0
db/db_C_D_1

should be renamed

db/db_A_B_0_GUID
db/db_C_D_1_GUID

on startup, the Splunk indexer will infer that these individual buckets are clustered buckets because of the existence of "_GUID" at the end of folder name.

View solution in original post

dxu_splunk · ‎08-01-2018

for data you want to become clustered, you'll want to rename the folders inside these folders (db/ colddb/ datamodel_summary/) into its clustered version. for example.

db/db_A_B_0
db/db_C_D_1

should be renamed

db/db_A_B_0_GUID
db/db_C_D_1_GUID

on startup, the Splunk indexer will infer that these individual buckets are clustered buckets because of the existence of "_GUID" at the end of folder name.

ranjitbrhm1 · ‎08-05-2018

Thanks for your assistance. But it doesnt seem to be working. Actually i read the exact same method that you suggested somewhere else as well. I might be missing some crucial step here. I have an index called web inside the web folder there is db and inside db is the folder
db_1523802056_1523197336_0
my guid is : C8F87DC9-9F30-4747-A1A4-8D4186FF4DBE
so i renamed my db into folder inside db into
db_1523802056_1523197336_0_C8F87DC9-9F30-4747-A1A4-8D4186FF4DBE
and i restarted the individual indexer. but nothing seems to be happening. Do i have to restart the cluster master as well to kick this thing off?

dxu_splunk · ‎08-05-2018

Hey ranjit, have you made the index a clustered index? you'll need to set repFactor=auto for all indexes you'd like to be clustered (on the cluster master etc/master-apps/_cluster/local/indexes.conf, and then push the cluster bundle)

ranjitbrhm1 · ‎08-05-2018

Now its replicating. Thanks.

sudosplunk · ‎08-01-2018

Hello, please have a look at below for detailed and better explanation.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Migratenon-clusteredindexerstoaclustereden...

ranjitbrhm1 · ‎08-01-2018

I am trying to join this server into the cluster. This server is not part of the cluster earlier. So this index was residing on the cluster before i tried to join on to the cluster. So your solution wont work here. Sorry.