Deployment Architecture
Highlighted

Move buckets - Retain old hostnames?

Builder

Based on this previous question here:

http://splunk-base.splunk.com/answers/49844/move-splunk-databases-to-new-indexer-in-new-location

I have an additional question about moving buckets. We're closing a datacenter here so all the data in buckets on an indexer is being asked to be moved to a different datacenter. Also, servers that are existing at this datacenter that is closing are being retired or redone with new hostsnames and IP's.

If you were to move buckets from one indexer to another, would those buckets retain the old hostnames of servers they received data from? I assume YES but figured I'd ask. Any ideas here?

I wonder if this would cause an issue because.....some of these servers that are being moved will still contain old logs from when the server had a different name or IP. I'm wondering if it's just easier to see about reindexing the data under the new name.

Tags (1)
0 Karma
Highlighted

Re: Move buckets - Retain old hostnames?

Splunk Employee
Splunk Employee

Indexed data won't be altered by moving buckets. You're moving all the data as it exists from the source to a destination instance, not altering the event data.

View solution in original post

Highlighted

Re: Move buckets - Retain old hostnames?

Builder

well if the data in the buckets is being moved and originally it showed up under a host that no longer exists, how does that work? If i ran a search for a sourcetype would it pull up the data AND show it coming from a host that no longer exists?

0 Karma
Highlighted

Re: Move buckets - Retain old hostnames?

Builder

I'm not saying that the indexed data would be altered. I'm saying the data would be tagged with a hostname that doesn't exist any more. Meanwhile the same data was moved to a new host that now has a different hostname and will be reindexed again. That's what i'm asking - if the data in the buckets is mapped to hostnames, EVEN IF you move those buckets to another indexer.

0 Karma

Re: Move buckets - Retain old hostnames?

Splunk Employee
Splunk Employee

host is a metadata field written to each at index time in the index. They are not changed once an event is indexed, irrespective of where the data exists.

0 Karma
Highlighted

Re: Move buckets - Retain old hostnames?

Builder

Ok so then the moved data would show up under the old hostnames then, correct?

0 Karma
Highlighted

Re: Move buckets - Retain old hostnames?

Splunk Employee
Splunk Employee

Sorry if I am being unclear. What I mean to say is that whatever was extracted at index time will remain in the host field for the lifetime of that particular event. Moving an event from one index, or server, to another would have no effect on the fields extracted at index time.

0 Karma
Highlighted

Re: Move buckets - Retain old hostnames?

Builder

yep that answers it...thanks so much

0 Karma