How to migrate two linux indexers into one

jonringler · ‎10-02-2019

I am looking into simplifying my Splunk architecture. I currently have two Linux indexers in different regions.

They are currently setup identical - same indexes, same everything. They are collecting logs for each region.

We are migrating to a transit network that will have access to both regions.

I need to take the data from both indexers and combine them together on a new Linux indexer.

How do I merge the two indexers together?

woodcock · ‎10-02-2019

Assuming you are not clustered, like this:

1: Go onto the existing indexers and copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file.
2: For each index, add these 2 numbers together and then add and extra 1000 to the sum.
3: Create the new indexer but BEFORE YOU START IT FOR THE FIRST TIME, manually create each `$SPLUNK_HOME/var/lib/splunk/*.dat` file with the number you calculated in the previous step.
4: Start the new indexer and point all the forwarders to it.
5: Stop both of the old indexers.
6: Pick one and copy all of the buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
7: Once again, copy the contents of every `$SPLUNK_HOME/var/lib/splunk/*.dat` file; now you are done with this indexer.
8: Stop the other old indexer and use a script to update each bucket's bucket ID (the last number in the directory) to be the existing number PLUS the number that you saved in the previous step.
9: Copy all of the renamed/renumbered buckets as-is to the new indexer (Yes, you can do this while the new indexer is still running).
10: Restart the new indexer.

How to migrate two linux indexers into one

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...