Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split data from old indexer to new indexers.

brent89567
New Member
‎02-14-2020 10:15 AM

I have a setup right now where we have 1 indexer in our test environment and we are putting 2 new indexers in the production environment. I need to know if I move all the data from the old indexer and split it evenly between the new indexers, will I run into any errors on the two indexers?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2020 12:20 AM

Hi @ brent89567,
you should share more infos:

  • the new indexers are clustered or not?
  • if not clustered do you want that both the indexers receive all the logs or some indexes will be in Indexers1 and some others in Indexers2?

Anyway, if you have clustered indexers, it isn't possible to replicate old data, so old data can be copied in one indexers (in a different index) and the new data will be replicated between both of them; steps are:

  • stop all indexers,
  • copy indexes from old Indexers to one of the new ones using a different name (e.g. my_index will be my_old_index),
  • restart Splunk in the new Indexers,
  • put indexes.conf in master Node and push the configuration,
  • change all your searches to search in both the indexes (index=my_index OR index=my_old_index), a good idea is to use eventtypes in your searches so you have to change only the eventtype,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

If instead you want to use stand-alone Indexers, you have to:

  • stop Splunk in all the three servers,
  • copy Indexes in one Indexer (eventually some indexes in Indexer1 ans some others in Indexer2),
  • copy indexes.conf in both the new Indexers,
  • restart the new Indexers,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

Ciao.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2020 11:47 AM

More information is needed.
Do you need to move the test data to production?
Are the indexers clustered in test or prod?
How much data is there?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...