Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to split data from old indexer to new indexers.

brent89567
New Member
‎02-14-2020 10:15 AM

I have a setup right now where we have 1 indexer in our test environment and we are putting 2 new indexers in the production environment. I need to know if I move all the data from the old indexer and split it evenly between the new indexers, will I run into any errors on the two indexers?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2020 12:20 AM

Hi @ brent89567,
you should share more infos:

  • the new indexers are clustered or not?
  • if not clustered do you want that both the indexers receive all the logs or some indexes will be in Indexers1 and some others in Indexers2?

Anyway, if you have clustered indexers, it isn't possible to replicate old data, so old data can be copied in one indexers (in a different index) and the new data will be replicated between both of them; steps are:

  • stop all indexers,
  • copy indexes from old Indexers to one of the new ones using a different name (e.g. my_index will be my_old_index),
  • restart Splunk in the new Indexers,
  • put indexes.conf in master Node and push the configuration,
  • change all your searches to search in both the indexes (index=my_index OR index=my_old_index), a good idea is to use eventtypes in your searches so you have to change only the eventtype,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

If instead you want to use stand-alone Indexers, you have to:

  • stop Splunk in all the three servers,
  • copy Indexes in one Indexer (eventually some indexes in Indexer1 ans some others in Indexer2),
  • copy indexes.conf in both the new Indexers,
  • restart the new Indexers,
  • move addressing in Universal Forwarders to send logs to the new Indexers.

Ciao.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2020 11:47 AM

More information is needed.
Do you need to move the test data to production?
Are the indexers clustered in test or prod?
How much data is there?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...