Deployment Architecture

Migrating an index configuration from a single instance to an indexer cluster

brettcave
Builder

I have a custom index defined in apps/search/local/indexes.conf that receives data pretty much continuously.

In migrating from a single instance deployment to a clustered indexer with seperate shc. To move from single to distributed, I am looking to deploy new indexer nodes, master node and sh nodes, and then join the existing single instance to the indexer cluster. As part of this, I am looking to manage the index configuration across the indexer cluster by the master, by adding it to etc/master-apps/_cluster/local/indexes.conf

If the master is deployed with indexes.conf in the _cluster directory, as new indexers are added to the cluster, they will have the index definition. But when I add the current standalone instance to the cluster, will that cause any issues, having the index defined in 2 places? I will also be adding repFactor=auto to the index definition. What is the best way to migrate an index definition from standalone to clustered without disruption?

0 Karma

woodcock
Esteemed Legend

No, that will be fine but be aware that pre-clustered index data will NOT become clustered; only new data will.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi brettcave,
I'm sure that you already saw this documentation https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Migratenon-clusteredindexerstoaclusterede...
Anyway, at first remember that when you add a new index to a cluster, it start to replicate data from the new ones, so the old ones aren replicated between cluster members.
So analyze your data to understand what's the best solution for your:

  • put old data in a different non replicated index with a similar name manually copying files in each Indexes, obviously index must be defined in the _cluster indexes.conf, ad slowly it will be empty because it doesn0t receive new data and old ones are discarded for retention policies;
  • discard old data (if possible),
  • reindex old data after the cluster creation.

In your case, you have to delete the entry of indexes.conf from the apps folder.

One additional information: you can also put in $SPLUNK_HOME/etc/master-apps folder your apps containing indexes.conf, props.conf, etc... files, e.g. you could create a TA_indexes instead to use the _cluster folder.

Bye.
Giuseppe

skalliger
Motivator

Hi,

there is a nice docs page about this topic: Migrate non-clustered indexers to a clustered environment.

I would not recommend putting your configs under _cluster/local. Instead, create an app called something like all_indexes which will contain only index definitions. This way, you can push that config file/app also to your SHC.
You can define repFactor under the [default] stanza in the indexes.conf as well. Or just add it to every index. You should not define indexes in mutliple places. If any settings aren't the same in the configs, you might run into unexpected issues.

Skalli

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...