Deployment Architecture

How to migrate two linux indexers into one


I am looking into simplifying my Splunk architecture. I currently have two Linux indexers in different regions.

They are currently setup identical - same indexes, same everything. They are collecting logs for each region.

We are migrating to a transit network that will have access to both regions.

I need to take the data from both indexers and combine them together on a new Linux indexer.

How do I merge the two indexers together?

Esteemed Legend

Assuming you are not clustered, like this:

1: Go onto the existing indexers and copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file.
2: For each index, add these 2 numbers together and then add and extra 1000 to the sum.
3: Create the new indexer but BEFORE YOU START IT FOR THE FIRST TIME, manually create each `$SPLUNK_HOME/var/lib/splunk/*.dat` file with the number you calculated in the previous step.
4: Start the new indexer and point all the forwarders to it.
5: Stop both of the old indexers.
6: Pick one and copy all of the buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
7: Once again, copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file; now you are done with this indexer.
8: Stop the other old indexer and use a script to update each bucket's bucket ID (the last number in the directory) to be the existing number PLUS the number that you saved in the previous step.
9: Copy all of the renamed/renumbered buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
10: Restart the new indexer.
0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...