Deployment Architecture

Move buckets - Retain old hostnames?

gnovak
Builder

Based on this previous question here:

http://splunk-base.splunk.com/answers/49844/move-splunk-databases-to-new-indexer-in-new-location

I have an additional question about moving buckets. We're closing a datacenter here so all the data in buckets on an indexer is being asked to be moved to a different datacenter. Also, servers that are existing at this datacenter that is closing are being retired or redone with new hostsnames and IP's.

If you were to move buckets from one indexer to another, would those buckets retain the old hostnames of servers they received data from? I assume YES but figured I'd ask. Any ideas here?

I wonder if this would cause an issue because.....some of these servers that are being moved will still contain old logs from when the server had a different name or IP. I'm wondering if it's just easier to see about reindexing the data under the new name.

Tags (1)
0 Karma
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Indexed data won't be altered by moving buckets. You're moving all the data as it exists from the source to a destination instance, not altering the event data.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Indexed data won't be altered by moving buckets. You're moving all the data as it exists from the source to a destination instance, not altering the event data.

gnovak
Builder

yep that answers it...thanks so much

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Sorry if I am being unclear. What I mean to say is that whatever was extracted at index time will remain in the host field for the lifetime of that particular event. Moving an event from one index, or server, to another would have no effect on the fields extracted at index time.

0 Karma

gnovak
Builder

Ok so then the moved data would show up under the old hostnames then, correct?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

host is a metadata field written to each at index time in the index. They are not changed once an event is indexed, irrespective of where the data exists.

0 Karma

gnovak
Builder

I'm not saying that the indexed data would be altered. I'm saying the data would be tagged with a hostname that doesn't exist any more. Meanwhile the same data was moved to a new host that now has a different hostname and will be reindexed again. That's what i'm asking - if the data in the buckets is mapped to hostnames, EVEN IF you move those buckets to another indexer.

0 Karma

gnovak
Builder

well if the data in the buckets is being moved and originally it showed up under a host that no longer exists, how does that work? If i ran a search for a sourcetype would it pull up the data AND show it coming from a host that no longer exists?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...