Splunk Cluster Migration - keep legacy data search...

agodoy · ‎05-28-2013

I am planning to migrate from an all-in-one Splunk instance to a Splunk cluster. I am thinking about turning the old all-in-one Splunk instance into a search head in the cluster.

So my idea is that the new servers for the cluster will start indexing/replicating any data after the cut and have legacy data in the search head.

Would this give me access to the legacy data? Any issues that I am not thinking about.

mahamed_splunk · ‎11-27-2013

In Splunk 6 it is possible to search from SH both clustered indexers and non-clustered indexer.

More info is here http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Configurethesearchhead#Search_across_both_cl...

hexx · ‎05-28-2013

At this time, it is indeed not possible to add a legacy peer to a cluster for the purpose of it only servicing searches without indexing or replicating new data. You could actually control the first data intake by making sure that your forwarders don't send data to this indexer, but you can't control the second one: If the peer is in the cluster, it will be eligible to be an index replication target.

Ideally, you would add that indexer as a standalone search peer to the cluster search-head, and point your forwarders away from it. This is not currently possible unfortunately, but we are considering to implement this in the future.

For the time being, it seems that your solution of converting this standalone indexer into a cluster search-head might be your best option. Hopefully, you'll be able to add it as a standalone peer to the cluster and set up a dedicated search-head in a future release.

ChrisG · ‎05-28-2013

If you have not already done so, you should definitely read Migrate non-clustered indexers to a clustered environment in the Managing Indexers and Clusters manual.

okrabbe_splunk · ‎05-28-2013

BTW, a bit tangental but a question shows up as unanswered no matter how many answers are supplied until one answer is excepted.

agodoy · ‎05-28-2013

I have new hardware for the indexers that has higher IOPS. I want to use the new hardware to cluster indexing. However, I want to have the old data available, but I do not want the old hardware to be indexing new data.

ChrisG · ‎05-28-2013

Okay, apologies for misunderstanding. The migration topic does recommend converting your indexer into a search peer rather than a search head--then you'll definitely have access to your legacy data. I don't know if it would work to do it the way you're asking about. Is there a specific reason you want to take this other approach?

agodoy · ‎05-28-2013

Well, I am not trying to migrate my legacy data and I understand the issues with doing that. I want the legacy data to be there while using my legacy instance as a search head instead of a search peer.

ChrisG · ‎05-28-2013

I am confused. You can downvote my answer all you want, but see the section http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Migratenon-clusteredindexerstoaclustereden.... You don't have to like the answer, but contacting professional services is your best bet.

agodoy · ‎05-28-2013

In the future, I recommend adding such a comment as a comment as it does not really address the question. However, it is informative. Any idea how to make the question appear as not answered?

agodoy · ‎05-28-2013

Thanks for the link. Unfortunately, they do not address the topic on that link.

agodoy · ‎05-28-2013

I want to keep all the legacy data.

bmacias84 · ‎05-28-2013

Do you want to keep only selective data or all data?

Splunk Cluster Migration - keep legacy data searchable on non-clustered instance

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security