Deployment Architecture

Splunk Cluster Migration - keep legacy data searchable on non-clustered instance

agodoy
Communicator

I am planning to migrate from an all-in-one Splunk instance to a Splunk cluster. I am thinking about turning the old all-in-one Splunk instance into a search head in the cluster.

So my idea is that the new servers for the cluster will start indexing/replicating any data after the cut and have legacy data in the search head.

Would this give me access to the legacy data? Any issues that I am not thinking about.

Tags (1)

mahamed_splunk
Splunk Employee
Splunk Employee

In Splunk 6 it is possible to search from SH both clustered indexers and non-clustered indexer.

More info is here http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Configurethesearchhead#Search_across_both_cl...

0 Karma

hexx
Splunk Employee
Splunk Employee

At this time, it is indeed not possible to add a legacy peer to a cluster for the purpose of it only servicing searches without indexing or replicating new data. You could actually control the first data intake by making sure that your forwarders don't send data to this indexer, but you can't control the second one: If the peer is in the cluster, it will be eligible to be an index replication target.

Ideally, you would add that indexer as a standalone search peer to the cluster search-head, and point your forwarders away from it. This is not currently possible unfortunately, but we are considering to implement this in the future.

For the time being, it seems that your solution of converting this standalone indexer into a cluster search-head might be your best option. Hopefully, you'll be able to add it as a standalone peer to the cluster and set up a dedicated search-head in a future release.

ChrisG
Splunk Employee
Splunk Employee

If you have not already done so, you should definitely read Migrate non-clustered indexers to a clustered environment in the Managing Indexers and Clusters manual.

okrabbe_splunk
Splunk Employee
Splunk Employee

BTW, a bit tangental but a question shows up as unanswered no matter how many answers are supplied until one answer is excepted.

0 Karma

agodoy
Communicator

I have new hardware for the indexers that has higher IOPS. I want to use the new hardware to cluster indexing. However, I want to have the old data available, but I do not want the old hardware to be indexing new data.

ChrisG
Splunk Employee
Splunk Employee

Okay, apologies for misunderstanding. The migration topic does recommend converting your indexer into a search peer rather than a search head--then you'll definitely have access to your legacy data. I don't know if it would work to do it the way you're asking about. Is there a specific reason you want to take this other approach?

0 Karma

agodoy
Communicator

Well, I am not trying to migrate my legacy data and I understand the issues with doing that. I want the legacy data to be there while using my legacy instance as a search head instead of a search peer.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

I am confused. You can downvote my answer all you want, but see the section http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Migratenon-clusteredindexerstoaclustereden.... You don't have to like the answer, but contacting professional services is your best bet.

0 Karma

agodoy
Communicator

In the future, I recommend adding such a comment as a comment as it does not really address the question. However, it is informative. Any idea how to make the question appear as not answered?

0 Karma

agodoy
Communicator

Thanks for the link. Unfortunately, they do not address the topic on that link.

0 Karma

agodoy
Communicator

I want to keep all the legacy data.

0 Karma

bmacias84
Champion

Do you want to keep only selective data or all data?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...