Based on this previous question here:
I have an additional question about moving buckets. We're closing a datacenter here so all the data in buckets on an indexer is being asked to be moved to a different datacenter. Also, servers that are existing at this datacenter that is closing are being retired or redone with new hostsnames and IP's.
If you were to move buckets from one indexer to another, would those buckets retain the old hostnames of servers they received data from? I assume YES but figured I'd ask. Any ideas here?
I wonder if this would cause an issue because.....some of these servers that are being moved will still contain old logs from when the server had a different name or IP. I'm wondering if it's just easier to see about reindexing the data under the new name.
Indexed data won't be altered by moving buckets. You're moving all the data as it exists from the source to a destination instance, not altering the event data.
well if the data in the buckets is being moved and originally it showed up under a host that no longer exists, how does that work? If i ran a search for a sourcetype would it pull up the data AND show it coming from a host that no longer exists?
I'm not saying that the indexed data would be altered. I'm saying the data would be tagged with a hostname that doesn't exist any more. Meanwhile the same data was moved to a new host that now has a different hostname and will be reindexed again. That's what i'm asking - if the data in the buckets is mapped to hostnames, EVEN IF you move those buckets to another indexer.
host is a metadata field written to each at index time in the index. They are not changed once an event is indexed, irrespective of where the data exists.
Sorry if I am being unclear. What I mean to say is that whatever was extracted at index time will remain in the host field for the lifetime of that particular event. Moving an event from one index, or server, to another would have no effect on the fields extracted at index time.