Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to migrate two linux indexers into one

jonringler
Engager
‎10-02-2019 09:32 AM

I am looking into simplifying my Splunk architecture. I currently have two Linux indexers in different regions.

They are currently setup identical - same indexes, same everything. They are collecting logs for each region.

We are migrating to a transit network that will have access to both regions.

I need to take the data from both indexers and combine them together on a new Linux indexer.

How do I merge the two indexers together?

Reply

woodcock
Esteemed Legend
‎10-02-2019 06:20 PM

Assuming you are not clustered, like this:

1: Go onto the existing indexers and copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file.
2: For each index, add these 2 numbers together and then add and extra 1000 to the sum.
3: Create the new indexer but BEFORE YOU START IT FOR THE FIRST TIME, manually create each `$SPLUNK_HOME/var/lib/splunk/*.dat` file with the number you calculated in the previous step.
4: Start the new indexer and point all the forwarders to it.
5: Stop both of the old indexers.
6: Pick one and copy all of the buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
7: Once again, copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file; now you are done with this indexer.
8: Stop the other old indexer and use a script to update each bucket's bucket ID (the last number in the directory) to be the existing number PLUS the number that you saved in the previous step.
9: Copy all of the renamed/renumbered buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
10: Restart the new indexer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...